Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Debian: DLA-3668-1 critical: opensc PIN bypass and app crash

debian lts
Calendar Grey November 27, 2023
Dist Debian Esm H88
Critical vulnerabilities in opensc expose risks of application crash and PIN bypass. Upgrade recommended for Debian systems.
Vulnerabilities were found in opensc, a set of libraries and utilities to access smart cards, which could lead to application crash or PIN bypass

Summary

CVE-2023-40660

When the token/card was plugged into the computer and authenticated
from one process, it could be used to provide cryptographic
operations from different process when the empty, zero-length PIN
and the token can track the login status using some of its
internals. This is dangerous for OS logon/screen unlock and small
tokens that are plugged permanently to the computer.

The bypass was removed and explicit logout implemented for most of
the card drivers to prevent leaving unattended logged-in tokens.

CVE-2023-40661

This advisory summarizes automatically reported issues from dynamic
analyzers reports in pkcs15-init that are security relevant.

* stack buffer overflow in sc_pkcs15_get_lastupdate() in pkcs15init;
* heap buffer overflow in setcos_create_key() in pkcs15init;
* heap buffer overflow in cosm_new_file() in pkcs15init;
* stack buffer overflow in cflex_delete_file() in pkcs15init;

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: opensc
Version: 0.19.0-1+deb10u3
CVE ID: CVE-2023-40660 CVE-2023-40661
Debian Bug: 1055521 1055522

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here