CVE-2024-1454: Opensc: memory use after free in authentic driver when updating token info
First published: Mon Feb 12 2024(Updated: )
The Use After Free vulnerability was identified within the AuthentIC driver in OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls or modifies cards. An attacker must have physical access to the computer system to take advantage of this flaw. The attack requires a crafted USB device or smart card to present the system with specially crafted responses to the APDUs, which are considered high complexity and low severity. This manipulation can potentially allow for compromising card management operations during enrollment. Originally reported by OSS-fuzz automated service.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SUSE OpenSC | <0.25.0 | |
| Fedora | =38 | |
| Fedora | =39 | |
| Fedora | =40 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2263930
- https://github.com/OpenSC/OpenSC/commit/5835f0d4f6c033bd58806d33fa546908d39825c9
- https://bugzilla.redhat.com/show_bug.cgi?id=2263929
- https://access.redhat.com/security/cve/CVE-2024-1454
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64898
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OWIZ5ZLO5ECYPLSTESCF7I7PQO5X6ZSU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJI2FWLY24EOPALQ43YPQEZMEP3APPPI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UECKC7X4IM4YZQ5KRQMNBNKNOXLZC7RZ/
Frequently Asked Questions
What is the severity of CVE-2024-1454?
CVE-2024-1454 is classified as a Use After Free vulnerability, posing a serious risk if exploited.
How do I fix CVE-2024-1454?
To fix CVE-2024-1454, you should update to the latest patched version of OpenSC or the applicable Red Hat Enterprise Linux release.
Which software versions are affected by CVE-2024-1454?
CVE-2024-1454 affects OpenSC versions below 0.25.0 and specific versions of Fedora and Red Hat Enterprise Linux.
Can CVE-2024-1454 be exploited remotely?
CVE-2024-1454 requires physical access to the affected system for an attacker to exploit it.
What impact does CVE-2024-1454 have on system security?
Exploitation of CVE-2024-1454 could allow an attacker to execute arbitrary code, compromising system security.
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-1454
- agent/title
- agent/author
- agent/severity
- agent/type
- agent/description
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/remedy
- agent/event
- agent/source
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/opensc project
- canonical/suse opensc
- vendor/fedoraproject
- canonical/fedora
- version/fedora/38
- version/fedora/39
- version/fedora/40
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0
- version/red hat enterprise linux/9.0