nCipher MSCAPI CSP Install Wizard不正确密钥产生漏洞-一一网

漏洞信息详情

nCipher MSCAPI CSP Install Wizard不正确密钥产生漏洞

CNNVD编号：CNNVD-200210-233

危害等级：中危
CVE编号：
CVE-2002-0939
漏洞类型：

配置错误
发布时间：

2002-10-04
威胁类型：

本地
更新时间：

2005-10-20
厂商：

ncipher
漏洞来源：
Published in nCiph…

漏洞简介

nCipher MSCAPI CSP 5.50版本的Install Wizard在用户请求但不产生Operator Card Set时不使用受密钥保护的Operator Card Set，该漏洞导致比用户所指定的（只保护模块）更低的保护等级。

漏洞公告

The following fix information has been provided by nCipher:
1. Users who have NOT already created a key with the wrong protection
———————————————————————
In order to force MSCAPI applications to generate cardset protected keys
a file `wizardfix.reg’ should be created containing the following text:
———— CUT HERE ————–
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\nCipher\Cryptography]
“UseModuleKeys”=dword:0000000
———— CUT HERE ————–
This file can then be run by the user to change the appropriate registry
entry that determines the behavior of key generation using the nCipher
CSP.
Alternatively, the user can edit the registry value specified above
directly using `regedit’.
The registry setting must be reset using either of the above methods
after each invocation of the affected nCipher CSP Install Wizard.
2. Users who have already created a key which is erroneously module
protected
——————————————————————-
Users who have already generated keys which were intended to be cardset
protected, but due to this error are not, are advised to apply the above
registry fix and generate new keys. nCipher recommends against
converting existing module-protected keys to cardset-protected status,
since it is extremely difficult to do this in a way that increases
security.
nCipher customers are advised to contact nCipher at support@ncipher.com for information on receiving patches and updates which address this issue.