What is CVE-2023-40661?

CVE-2023-40661 is a vulnerability in the OpenSC packages that allows attackers to exploit memory issues in the card enrollment process using pkcs15-init.

How severe is CVE-2023-40661?

CVE-2023-40661 has a severity rating of 6.4, which is considered medium.

How can an attacker exploit CVE-2023-40661?

To exploit CVE-2023-40661, an attacker needs physical access to the computer system and must use a custom-crafted attack.

Which software is affected by CVE-2023-40661?

The OpenSC packages versions up to 0.24.0, Opensc Project Opensc versions up to 0.23.0, Redhat Enterprise Linux versions 8.0 and 9.0 are affected by CVE-2023-40661.

How can I fix CVE-2023-40661?

To fix CVE-2023-40661, update the affected software to version 0.24.0 or later.

Vulnerability/
CVE-2023-40661

medium

6.4

CWE

119

27/9/2023

6/11/2023

25/4/2024

CVE-2023-40661: Opensc: multiple memory issues with pkcs15-init (enrollment tool)

First published: Wed Sep 27 2023(Updated: )

Several memory issues that are security relevant that were reported since the release of OpenSC 0.23.0 and that are relevant to the handling the card enrollment process using pkcs15-init. All of these require physical access to the computer at the time user or administrator would be enrolling the cards (generating keys and loading certificates, other card/token management) operations. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity. This issue is not exploitable just by using a PKCS#11 module as done in most of the end-user deployments. <a href="https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651">https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651</a> <a href="https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories">https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories</a> <a href="https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1">https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1</a>

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
Opensc Project Opensc	<=0.23.0
Redhat Enterprise Linux	=8.0
Redhat Enterprise Linux	=9.0
redhat/OpenSC	<0.24.0	0.24.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-40661?
CVE-2023-40661 is a vulnerability in the OpenSC packages that allows attackers to exploit memory issues in the card enrollment process using pkcs15-init.
How severe is CVE-2023-40661?
CVE-2023-40661 has a severity rating of 6.4, which is considered medium.
How can an attacker exploit CVE-2023-40661?
To exploit CVE-2023-40661, an attacker needs physical access to the computer system and must use a custom-crafted attack.
Which software is affected by CVE-2023-40661?
The OpenSC packages versions up to 0.24.0, Opensc Project Opensc versions up to 0.23.0, Redhat Enterprise Linux versions 8.0 and 9.0 are affected by CVE-2023-40661.
How can I fix CVE-2023-40661?
To fix CVE-2023-40661, update the affected software to version 0.24.0 or later.

collector/oss-sec
alias/CVE-2023-40661
agent/type
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/title
agent/author
agent/references
agent/weakness
agent/severity
agent/event
collector/redhat-bugzilla
source/Red Hat
agent/tags
agent/description
collector/mitre-cve
source/MITRE
vendor/opensc project
canonical/opensc project opensc
version/opensc project opensc/0.23.0
vendor/redhat
canonical/redhat enterprise linux
version/redhat enterprise linux/8.0
version/redhat enterprise linux/9.0
package-manager/redhat