CVE-2021-43393 : Security Advisory and Response

STMicroelectronics STSAFE-J, J-SAFE3, and J-SIGN may allow attackers to abuse signature verification, particularly with the ECDSA signature algorithm. It impacts Java Card platforms.

Understanding CVE-2021-43393

This CVE involves potential abuse of signature verification in STMicroelectronics' products.

What is CVE-2021-43393?

STMicroelectronics STSAFE-J, J-SAFE3, and J-SIGN are vulnerable to signature verification exploitation, posing a risk to the Java Card platforms.

The Impact of CVE-2021-43393

Attackers could abuse signature verification, potentially leading to unauthorized access or fraudulent activities.
Specifically associated with the ECDSA signature algorithm in Java Card platforms, impacting certain configurations.
Products such as STSAFE-J in closed configuration are at risk.
J-SIGN is affected when signature verification is activated.
Products like J-SAFE3 EPASS BAC and EAC are not impacted.
Other products based on the J-SAFE-3 Java Card platform might also be vulnerable.

Technical Details of CVE-2021-43393

This section covers more technical aspects of the CVE.

Vulnerability Description

The vulnerability allows attackers to exploit signature verification mechanisms.

Affected Systems and Versions

STMicroelectronics STSAFE-J 1.1.4
J-SAFE3 1.2.5
J-SIGN

Exploitation Mechanism

Exploitable for STSAFE-J in closed configuration and J-SIGN when signature verification is enabled.
Not exploitable for J-SAFE3 EPASS BAC and EAC products.

Mitigation and Prevention

Protect your systems from CVE-2021-43393 with the following measures.

Immediate Steps to Take

Disable signature verification if not required.
Monitor and restrict access to vulnerable systems.
Apply patches and updates promptly.

Long-Term Security Practices

Regular security assessments and audits.
Stay informed about vendor security advisories.

Patching and Updates

Implement security patches provided by STMicroelectronics.