First published: Wed Sep 27 2023(Updated: )
A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/OpenSC | <0.24.0 | 0.24.0 |
<=0.23.0 | ||
=8.0 | ||
=9.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-40660 is a vulnerability in OpenSC packages that allows a potential PIN bypass.
When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed.
The severity of CVE-2023-40660 is medium, with a CVSS score of 6.6.
To fix CVE-2023-40660, update to version 0.24.0 of OpenSC packages.
Yes, you can refer to the following links for more information: [Red Hat Security Advisory](https://access.redhat.com/security/cve/CVE-2023-40660), [Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2240912), [GitHub Issue](https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651).