CVE-2019-15809

Exp

Smart cards from the Athena SCS manufacturer, based on the Atmel Toolbox 00.03.11.05 and the AT90SC chip, contain a timing side channel in ECDSA signature generation. This allows a local attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because the Atmel Toolbox 00.03.11.05 contains two versions of ECDSA signature functions, described as fast and secure, but the affected cards chose to use the fast version, which leaks the bit length of the random nonce via timing. This affects Athena IDProtect 010b.0352.0005, Athena IDProtect 010e.1245.0002, Athena IDProtect 0106.0130.0401, Athena IDProtect 010e.1245.0002, Valid S/A IDflex V 010b.0352.0005, SafeNet eToken 4300 010e.1245.0002, TecSec Armored Card 010e.0264.0001, and TecSec Armored Card 108.0264.0001.

Published: 2019-10-03 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]

NVD Status：Modified，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2019-15809

EPSS CVSS CWE Exploit-DB Affected

Conclusion & alert: CVE-2019-15809 is rated Exploit Available (50/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.47%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2019-15809

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2019-15809

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.10%	0.47%	+0.37%
2	2025-03-30	0.15%	0.10%	-0.05%
3	2025-03-29	—	0.15%	—

Full EPSS history (9 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2019-15809

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.7	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	1.0	3.6	[email protected]
1.2	2.0	LOW	`AV:L/AC:H/Au:N/C:P/I:N/A:N` Click to expand Access vector (AV:L) Requires local access to the target system. Access complexity (AC:H) Exploitation requires uncommon or highly specific conditions. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:N) No availability impact.	1.9	2.9	[email protected]

Weakness enumeration for CVE-2019-15809

CWE-203 MITRE ↗

Affected software / configurations for CVE-2019-15809

Vendor	Product	Version	Raw CPE
microchip	atmel_toolbox	00.03.11.05	cpe:2.3:a:microchip:atmel_toolbox:00.03.11.05:::::::*
athena-scs	idprotect	010b.0352.0005	cpe:2.3:o:athena-scs:idprotect:010b.0352.0005:::::::*
athena-scs	idprotect	010e.1245.0002	cpe:2.3:o:athena-scs:idprotect:010e.1245.0002:::::::*
athena-scs	idprotect	0106.0130.0401	cpe:2.3:o:athena-scs:idprotect:0106.0130.0401:::::::*
cryptsoft	s\/a_idflex_v	010b.0352.0005	cpe:2.3:o:cryptsoft:s\/a_idflex_v:010b.0352.0005:::::::*
tecsec	armored_card	010e.0264.0001	cpe:2.3:o:tecsec:armored_card:010e.0264.0001:::::::*
tecsec	armored_card	108.0264.0001	cpe:2.3:o:tecsec:armored_card:108.0264.0001:::::::*
thalesgroup	etoken_4300	010e.1245.0002	cpe:2.3:o:thalesgroup:etoken_4300:010e.1245.0002:::::::*

References for CVE-2019-15809

URL	Tags
http://www.openwall.com/lists/oss-security/2019/10/02/2	Mailing List Third Party Advisory
https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/details?source=ECDSA&number=214	Third Party Advisory US Government Resource
https://eprint.iacr.org/2011/232.pdf	Technical Description Third Party Advisory
https://minerva.crocs.fi.muni.cz/	Exploit Third Party Advisory
https://tches.iacr.org/index.php/TCHES/article/view/7337	Technical Description Third Party Advisory
https://www.ssi.gouv.fr/certification_cc/bibliotheque-cryptographique-atmel-toolbox-00-03-11-05/	Product

cvelogic Threat Intelligence