Nitrokey 3 Firmware PIV Application Admin Key Authentication Vulnerability

A vulnerability exists in Nitrokey 3 Firmware version 1.8.0 and test releases with PIV enabled prior to 1.8.0. The PIV application improperly validates admin keys, allowing an attacker to authenticate without the correct key. This flaw could lead to unauthorized generation of new keys and overwriting of certificates, compromising the integrity of the PIV data objects. Although the vulnerability does not allow extraction of existing private data or access to cryptographic operations requiring PIN-based authentication, it could be exploited by someone with physical access to the Nitrokey 3 or control over a connected device.

Impact

Exploitation of this vulnerability could result in unauthorized key generation and certificate overwriting within the PIV application, compromising the integrity of the PIV data objects.

Remediation

Users are advised to update to Nitrokey 3 Firmware version 1.8.1, which addresses this vulnerability. The updated firmware can be downloaded from the Nitrokey GitHub repository.