Security Updates - SM
Sentinel LDK Vulnerabilities
UPDATE: 14 Dec 2021
Thales Product Security Team has investigated a recently-reported vulnerability in Log4j, affecting Sentinel LDK-EMS versions 7.10, 8.0, 8.2 and 8.3. Customers who use these versions are advised to review the security bulletin at KB0025300.
13 Dec 2021
A security vulnerability in Log4j has been identified as affecting Sentinel LDK-EMS versions 8.0, 8.2 and 8.3. Thales recommends that vendors who use these versions should install Service Pack LDK 8.3.002 as soon as possible. This service pack can be downloaded from here. A security bulletin with more information will be published soon.
27 Dec 2019
Thales Product Security Team has investigated recently reported vulnerability in Sentinel LDK License Manager. Customers who use this product are advised to review the security bulletin at KB0020564.
08 Nov 2019
Thales Product Security Team has investigated recently reported vulnerabilities in Sentinel LDK License Manager. Customers who use this product are advised to review the security bulletin at KB0020199.
15 Oct 2019
Thales Product Security Team has investigated recently reported vulnerabilities in Sentinel LDK License Manager when installed as a service. Customers who use this product as a service are advised to review the security bulletin at KB0020074.
02 May 2019
Thales Product Security Team has investigated recently reported vulnerabilities in Sentinel LDK product. There are no known exploits of these vulnerabilities. Further information on the vulnerability is available at the following security bulletin link: KB0018794.
For further questions or concerns, please contact customer support at https://supportportal.gemalto.com/
Vulnerabilities in Sentinel SuperPro, Sentinel Hardware Keys and Sentinel UltraPro Products
14 Dec 2021
Thales Product Security Team has investigated a recently-reported vulnerability in Sentinel Protection Installer, affecting version 7.7.0 or earlier. Customers who use these versions are advised to review the security bulletin at KB0025301.
05 June 2019
The library "REVERB1.dll" is being loaded without specifying the system directory in the LoadLibrary call. This uncontrolled search path element could enable an attacker to load and execute a malicious DLL file. Sensitive components, protected using Sentinel CodeCover for Sentinel SuperPro, Sentinel CodeCover for Sentinel Hardware Keys (SHK), and Sentinel Shell for Sentinel UltraPro may be at risk of this vulnerability if there are no additional protection layers in place by the software vendor.
Customers who use these products are advised review the security bulletin: KB0019084 and take recommended action as applicable. There are no known exploits of this vulnerability.
Sentinel RMS License Manager Vulnerability
13 November 2020
Customers using Sentinel RMS License Manager v9.6 or earlier are recommended to upgrade to v9.7 or later. Further information is available at the following security bulletin link: KB0023236.
Protect Server PSI-E2/PSE2 Vulnerabilities
Update 10 June 2019
Thales has a long-standing relationship with Ledger and is supplying hardware security modules (HSM) for Ledger Vault deployments, Ledger’s offering to secure digital asset operations. In 2018 Ledger made Thales aware of security issues restricted to the Thales ProtectServer HSMs running firmware versions from 3.20.00 to 3.20.10 and ProtectServer-2 HSMs running firmware between 5.00.02 and 5.03.00 (excluding 5.01.03). Immediate action was taken by Thales to resolve these issues and to contact our customers with remediation action. Full details of the patch were published to our security updates portal in November 2018.
All other HSM products, including SafeNet Luna, SafeNet Data Protection On Demand and payShield, are not impacted in any way by the issues presented in Ledger’s research. We take any security claim very seriously and are grateful to Ledger for notifying us of these issues and working with us to resolution. We value the contribution of researchers and security professionals in our efforts towards continuous improvement of the security of our products.
Customers are advised to take action as described at KB0018211 to mitigate the risk.
Update 13 March 2019
The Thales Enterprise and Cybersecurity Team has investigated recently reported vulnerabilities in the Protect Server PSI-E/PSE products (end of sale December 2014). These vulnerabilities may impact the integrity and availability of the product if exploited. Customers are advised to take action as described at KB0018211 to mitigate the risk.
For further questions or concerns, please contact Thales technical support at https://supportportal.gemalto.com/.
09 November 2018
The Thales Enterprise and Cybersecurity Team has investigated recently reported vulnerabilities in the Protect Server PSI-E2/PSE2 products. These vulnerabilities may impact the integrity and availability of the product if exploited. Customers are advised to take action as described at KB0018211 to mitigate the risk.
For further questions or concerns, please contact Thales technical support at https://supportportal.gemalto.com/.
Sentinel UltraPro Vulnerability
Update 12 March 2019
Please note the following corrections in bold:
Customers who have integrated Sentinel UltraPro Client Library ux32w.dll version (v1.3.0- v1.3.2) are advised to upgrade to the latest Sentinel UltraPro Client Library ux32w.dll version (v1.3.3). Further information on the vulnerability is available at the following security bulletin link: KB0018410.
09 January 2019
Customers who have Sentinel UltraPro version (v1.3.0-1.3.2) are advised to update to the latest Sentinel UltraPro version (v1.3.3). Further information on the vulnerability is available at the following security bulletin link: KB0018410.
Meltdown & Spectre Vulnerabilities
Update 1 June 2018
The Thales Security Team has investigated recently published vulnerabilities CVE-2018-3639/3640. Our investigation has concluded that for this category of vulnerability to be exploitable, an attacker would have to be able to execute an arbitrary (i.e. malicious) code within the appliance environment. Thales appliance products are not impacted as arbitrary code cannot be executed to exploit either of these vulnerability variants. Notwithstanding, customers should ensure that the operating systems and hypervisors of the host machines are patched where applicable.
Update 19 January 2018
The Thales Enterprise and Cybersecurity Security Team is continuing to investigate the impact of these vulnerabilities to our products and services, revising as more information is available. In general, if products/services employ a potentially vulnerable processor, security measures are in place to prevent exploitation of the vulnerabilities. Updated information may be found at: KB0017000.
Please continue to check this website where additional information will be posted as it becomes available.
Update 12 January 2018
The Thales Enterprise and Cybersecurity Security Team is continuing to investigate the impact of these vulnerabilities to our products and services, revising as more information is available. In general, if products/services employ a potentially vulnerable processor, security measures are in place to prevent exploitation of the vulnerabilities. Updated information may be found at: KB0017005
Please continue to check this website where additional information will be posted as it becomes available.
Update 09 January 2018
The Thales Enterprise and Cybersecurity Security Team has investigated the impact of these vulnerabilities to our products and services. In general, if products/services employ a potentially vulnerable processor, security measures are in place to prevent exploitation of the vulnerabilities. Further information is available at KB0017000.
Please continue to check this website where additional information will be posted as it becomes available.
04 January 2018
It has recently been announced that three vulnerabilities affected by two exploits known as Meltdown and Spectre are affecting modern processors. These vulnerabilities could allow unauthorized access to sensitive data as documented in CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754.
Thales takes this issue very seriously and is investigating the impact of these vulnerabilities on our products and solutions. Thales CERT is also closely monitoring updated information related to patch availability. In parallel, we are coordinating a regular follow-up with our cloud service providers. We have set up a dedicated team of security experts to work on the situation and we will continue to monitor any developments.
Customers who have questions about these vulnerabilities should get in touch with their usual Thales Customer Support contact. Please continue to check this website where additional information will be posted as it becomes available.
Sentinel LDK Vulnerabilities
Update 12 April 2018
Customers who have Sentinel LDK (RTE) Run-time Environment version (v2.10-66) are advised to update their Sentinel LDK RTE to the latest Sentinel LDK RTE component (v7.80). Further information is available at the following security bulletin link: KB0017405.
Update 9 March 2018
Customers who have Sentinel LDK (RTE) Run-time Environment version (v2.10-63) are advised to update their Sentinel LDK RTE to the latest Sentinel LDK RTE component (v7.65). This update can be found on the Sentinel Downloads site.
25 January 2018
In September 2017, Thales published notice advising Sentinel customers of vulnerabilities associated with the use of Sentinel LDK EMS server and License Manager services. These vulnerabilities may impact the confidentiality and integrity of the services if exploited.
This notice is to remind customers using these services to follow the mitigation guidelines outlined in the security bulletin at the following link: KB0016365.
Thales would like to acknowledge Kaspersky for responsible disclosure of these vulnerabilities.
SAML-Based Security Vulnerabilities
5 March 2018
Thales Security Teams have investigated a new vulnerability class (CVE-2017-11427) that affects SAML-based single sign-on (SSO) systems reported by Duo Labs. This vulnerability, under certain conditions, could allow an attacker with authenticated access to a SAML Identity Provider (IdP) to impersonate a different user. Information on the vulnerabilities may be found at https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations.
Our analysis has determined that SafeNet Authentication Service (SAS); SafeNet Trusted Access (STA); and Data Protection as a Service (DPaaS) are NOT impacted by this vulnerability. Customers should validate that their SAML service providers are not impacted as well.
Sentinel LDK Vulnerabilities
6 September 2017
Thales has identified vulnerabilities with the use of Sentinel LDK EMS server and License Manager services that may impact the confidentiality and integrity of the services if exploited. Customers using these services are advised to follow the mitigation guidelines outlined in security bulletins at the following links:
* We acknowledge Positive Technologies https://www.ptsecurity.com for responsible disclosure of these vulnerabilities.
Please contact customer support if you have difficulties with these links or have further questions or concerns.
Sentinel LDK License Manager Vulnerabilities
16 June 2017
Recent research reports identified vulnerabilities in Sentinel LDK License Manager services. The confidentiality and integrity of the files on the target system may be compromised if the vulnerability is exploited. Customers using this product are advised to contact customer support and/or follow the mitigation guidelines outlined in security bulletins at the following links:
Product specific advisories, software patches, or new software downloads for affected Thales Software Monetization products will be available in the Thales Customer Portal. Please continue to check regularly for updates or subscribe to specific product news feeds.