First published: Wed Sep 27 2023(Updated: )
Several memory issues that are security relevant that were reported since the release of OpenSC 0.23.0 and that are relevant to the handling the card enrollment process using pkcs15-init. All of these require physical access to the computer at the time user or administrator would be enrolling the cards (generating keys and loading certificates, other card/token management) operations. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity. This issue is not exploitable just by using a PKCS#11 module as done in most of the end-user deployments. <a href="https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651">https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651</a> <a href="https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories">https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories</a> <a href="https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1">https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1</a>
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Opensc Project Opensc | <=0.23.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =9.0 | |
redhat/OpenSC | <0.24.0 | 0.24.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-40661 is a vulnerability in the OpenSC packages that allows attackers to exploit memory issues in the card enrollment process using pkcs15-init.
CVE-2023-40661 has a severity rating of 6.4, which is considered medium.
To exploit CVE-2023-40661, an attacker needs physical access to the computer system and must use a custom-crafted attack.
The OpenSC packages versions up to 0.24.0, Opensc Project Opensc versions up to 0.23.0, Redhat Enterprise Linux versions 8.0 and 9.0 are affected by CVE-2023-40661.
To fix CVE-2023-40661, update the affected software to version 0.24.0 or later.