Vulnerabilities > CVE-2021-32033 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Protectimus Slim NFC 70 Firmware 10.01

047910
CVSS 4.6 - MEDIUM
Attack vector
PHYSICAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
low complexity
protectimus
CWE-335

Summary

Protectimus SLIM NFC 70 10.01 devices allow a Time Traveler attack in which attackers can predict TOTP passwords in certain situations. The time value used by the device can be set independently from the used seed value for generating time-based one-time passwords, without authentication. Thus, an attacker with short-time physical access to a device can set the internal real-time clock (RTC) to the future, generate one-time passwords, and reset the clock to the current time. This allows the generation of valid future time-based one-time passwords without having further access to the hardware token.

Vulnerable Configurations

Part Description Count
OS
Protectimus
1
Hardware
Protectimus
1