Security Vulnerability - Action Required: Insufficient Information vulnerability may in your project

[Crispy-fried-chicken]

Hi,
we have detected that your project may be vulnerable to Insufficient Information in the function of uECC_sign_with_k in the file of targetlibs/nrf5x_12/external/micro-ecc/uECC.c,targetlibs/nrf5x_15/external/micro-ecc/uECC.c and targetlibs/nrf5x_15_3/external/micro-ecc/uECC.c. It shares similarities to a recent CVE disclosure https://nvd.nist.gov/vuln/detail/CVE-2020-27209 in the https://github.com/kmackay/micro-ecc.
The source vulnerability information is as follows:

Vulnerability Detail:
CVE Identifier: CVE-2020-27209
Description: The ECDSA operation of the micro-ecc library 1.0 is vulnerable to simple power analysis attacks which allows an adversary to extract the private ECC key.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-27209
Patch: kmackay/micro-ecc@1b5f5ce

Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!

[gfwilliams]

Hi, yes, I think this is already mentioned in #2346

A PR would be good, but are you able to test it? uECC is used in the bootloader, so if the change in version were to break anything it would cause huge problems to users.

It's also not as urgent as it might seem, since uECC is only used in bootloader mode which has to be manually entered, and the only private key that might be leaked is this one which as you can see is very much not private!

[Crispy-fried-chicken]

Sorry, maybe I'm not able to test it, so will you fix it in the near future?

[gfwilliams]

Closing as duplicate of #2346 - as mentioned this is actually of very minimal security impact