4.2
MEDIUM
CVE-2021-3011
"NXP SmartMX/P5x and A7x Secure Authentication Microcontrollers and FIDO U2F Security Keys Electromagnetic-Wave Side-Channel Key Extraction*"
Description

An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone). This was demonstrated on the Google Titan Security Key, based on an NXP A7005a chip. Other FIDO U2F security keys are also impacted (Yubico YubiKey Neo and Feitian K9, K13, K21, and K40) as well as several NXP JavaCard smartcards (J3A081, J2A081, J3A041, J3D145_M59, J2D145_M59, J3D120_M60, J3D082_M60, J2D120_M60, J2D082_M60, J3D081_M59, J2D081_M59, J3D081_M61, J2D081_M61, J3D081_M59_DF, J3D081_M61_DF, J3E081_M64, J3E081_M66, J2E081_M64, J3E041_M66, J3E016_M66, J3E016_M64, J3E041_M64, J3E145_M64, J3E120_M65, J3E082_M65, J2E145_M64, J2E120_M65, J2E082_M65, J3E081_M64_DF, J3E081_M66_DF, J3E041_M66_DF, J3E016_M66_DF, J3E041_M64_DF, and J3E016_M64_DF).

INFO

Published Date :

Jan. 7, 2021, 4:15 p.m.

Last Modified :

Feb. 15, 2024, 9:20 p.m.

Remotely Exploitable :

No

Impact Score :

3.6

Exploitability Score :

0.5
Affected Products

The following products are affected by CVE-2021-3011 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Nxp 3a081
2 Nxp a7005a
3 Nxp j2a081
4 Nxp j2d081_m59
5 Nxp j2d081_m61
6 Nxp j2d082_m60
7 Nxp j2d120_m60
8 Nxp j2d145_m59
9 Nxp j2e081_m64
10 Nxp j2e082_m65
11 Nxp j2e120_m65
12 Nxp j2e145_m64
13 Nxp j3a041
14 Nxp j3d081_m59
15 Nxp j3d081_m59_df
16 Nxp j3d081_m61
17 Nxp j3d081_m61_df
18 Nxp j3d082_m60
19 Nxp j3d120_m60
20 Nxp j3d145_m59
21 Nxp j3e016_m64
22 Nxp j3e016_m64_df
23 Nxp j3e016_m66
24 Nxp j3e016_m66_df
25 Nxp j3e041_m64
26 Nxp j3e041_m64_df
27 Nxp j3e041_m66
28 Nxp j3e041_m66_df
29 Nxp j3e081_m64
30 Nxp j3e081_m64_df
31 Nxp j3e081_m66
32 Nxp j3e081_m66_df
33 Nxp j3e082_m65
34 Nxp j3e120_m65
35 Nxp j3e145_m64
36 Nxp p5010
37 Nxp p5020
38 Nxp p5021
39 Nxp p5040
1 Ftsafe k13
2 Ftsafe k21
3 Ftsafe k40
4 Ftsafe k9
1 Google titan_security_key
1 Yubico yubikey_neo
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2021-3011.

URL Resource
https://ninjalab.io/a-side-journey-to-titan/ Third Party Advisory
https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf Exploit Technical Description Third Party Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2021-3011 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2021-3011 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • Reanalysis by [email protected]

    Feb. 15, 2024

    Action Type Old Value New Value
    Removed CWE NIST CWE-203
    Added CWE NIST CWE-670
  • Reanalysis by [email protected]

    Jul. 20, 2023

    Action Type Old Value New Value
    Changed CPE Configuration OR *cpe:2.3:h:ftsafe:k13:-:*:*:*:*:*:*:* *cpe:2.3:h:ftsafe:k21:-:*:*:*:*:*:*:* *cpe:2.3:h:ftsafe:k40:-:*:*:*:*:*:*:* *cpe:2.3:h:ftsafe:k9:-:*:*:*:*:*:*:* *cpe:2.3:h:google:titan_security_key:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:3a081:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:a7005a:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2a081:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d081_m59:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d081_m61:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d082_m60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d120_m60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d145_m59:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2e081_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2e082_m65:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2e120_m65:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2e145_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3a041:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d081_m59:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d081_m59_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d081_m61:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d081_m61_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d082_m60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d120_m60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d145_m59:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e016_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e016_m64_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e016_m66:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e016_m66_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e041_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e041_m64_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e041_m66:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e041_m66_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e081_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e081_m64_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e081_m66:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e081_m66_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e082_m65:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e120_m65:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e145_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:p5010:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:p5020:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:p5021:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:p5040:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:smartmx2_p60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:smartmx3_p71d320:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:smartmx3_p71d321:-:*:*:*:*:*:*:* *cpe:2.3:h:yubico:yubikey_neo:-:*:*:*:*:*:*:* OR *cpe:2.3:h:ftsafe:k13:-:*:*:*:*:*:*:* *cpe:2.3:h:ftsafe:k21:-:*:*:*:*:*:*:* *cpe:2.3:h:ftsafe:k40:-:*:*:*:*:*:*:* *cpe:2.3:h:ftsafe:k9:-:*:*:*:*:*:*:* *cpe:2.3:h:google:titan_security_key:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:3a081:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:a7005a:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2a081:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d081_m59:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d081_m61:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d082_m60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d120_m60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d145_m59:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2e081_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2e082_m65:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2e120_m65:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2e145_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3a041:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d081_m59:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d081_m59_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d081_m61:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d081_m61_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d082_m60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d120_m60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d145_m59:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e016_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e016_m64_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e016_m66:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e016_m66_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e041_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e041_m64_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e041_m66:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e041_m66_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e081_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e081_m64_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e081_m66:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e081_m66_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e082_m65:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e120_m65:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e145_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:p5010:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:p5020:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:p5021:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:p5040:-:*:*:*:*:*:*:* *cpe:2.3:h:yubico:yubikey_neo:-:*:*:*:*:*:*:*
  • Initial Analysis by [email protected]

    Jan. 20, 2021

    Action Type Old Value New Value
    Added CVSS V2 NIST (AV:L/AC:M/Au:N/C:P/I:N/A:N)
    Added CVSS V3.1 NIST AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
    Changed Reference Type https://ninjalab.io/a-side-journey-to-titan/ No Types Assigned https://ninjalab.io/a-side-journey-to-titan/ Third Party Advisory
    Changed Reference Type https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf No Types Assigned https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf Exploit, Technical Description, Third Party Advisory
    Added CWE NIST CWE-203
    Added CPE Configuration OR *cpe:2.3:h:ftsafe:k13:-:*:*:*:*:*:*:* *cpe:2.3:h:ftsafe:k21:-:*:*:*:*:*:*:* *cpe:2.3:h:ftsafe:k40:-:*:*:*:*:*:*:* *cpe:2.3:h:ftsafe:k9:-:*:*:*:*:*:*:* *cpe:2.3:h:google:titan_security_key:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:3a081:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:a7005a:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2a081:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d081_m59:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d081_m61:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d082_m60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d120_m60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2d145_m59:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2e081_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2e082_m65:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2e120_m65:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j2e145_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3a041:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d081_m59:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d081_m59_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d081_m61:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d081_m61_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d082_m60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d120_m60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3d145_m59:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e016_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e016_m64_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e016_m66:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e016_m66_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e041_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e041_m64_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e041_m66:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e041_m66_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e081_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e081_m64_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e081_m66:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e081_m66_df:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e082_m65:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e120_m65:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:j3e145_m64:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:p5010:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:p5020:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:p5021:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:p5040:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:smartmx2_p60:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:smartmx3_p71d320:-:*:*:*:*:*:*:* *cpe:2.3:h:nxp:smartmx3_p71d321:-:*:*:*:*:*:*:* *cpe:2.3:h:yubico:yubikey_neo:-:*:*:*:*:*:*:*
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2021-3011 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2021-3011 weaknesses.

Exploit Prediction

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.

0.10 }} 0.03%

score

0.40659

percentile

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability