Debian Local Security Checks : Debian: Security Advisory (DLA-3668-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.1.2.2023.3668

Category: Debian Local Security Checks

Title: Debian: Security Advisory (DLA-3668-1)

Summary: The remote host is missing an update for the Debian 'opensc' package(s) announced via the DLA-3668-1 advisory.

Description: Summary:
The remote host is missing an update for the Debian 'opensc' package(s) announced via the DLA-3668-1 advisory.

Vulnerability Insight:
Vulnerabilities were found in opensc, a set of libraries and utilities to access smart cards, which could lead to application crash or authentication bypass.

CVE-2023-40660

When the token/card was plugged into the computer and authenticated from one process, it could be used to provide cryptographic operations from different process when the empty, zero-length PIN and the token can track the login status using some of its internals. This is dangerous for OS logon/screen unlock and small tokens that are plugged permanently to the computer.

The bypass was removed and explicit logout implemented for most of the card drivers to prevent leaving unattended logged-in tokens.

CVE-2023-40661

This advisory summarizes automatically reported issues from dynamic analyzers reports in pkcs15-init that are security relevant.

stack buffer overflow in sc_pkcs15_get_lastupdate() in pkcs15init,

heap buffer overflow in setcos_create_key() in pkcs15init,

heap buffer overflow in cosm_new_file() in pkcs15init,

stack buffer overflow in cflex_delete_file() in pkcs15init,

heap buffer overflow in sc_hsm_write_ef() in pkcs15init,

stack buffer overflow while parsing pkcs15 profile files,

stack buffer overflow in muscle driver in pkcs15init, and

stack buffer overflow in cardos driver in pkcs15init.

All of these require physical access to the computer at the time user or administrator would be enrolling the cards (generating keys and loading certificates, other card/token management) operations. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity. This issue is not exploitable just by using a PKCS#11 module as done in most of the end-user deployments.

For Debian 10 buster, these problems have been fixed in version 0.19.0-1+deb10u3.

We recommend that you upgrade your opensc packages.

For the detailed security status of opensc please refer to its security tracker page at: [link moved to references]

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]

Affected Software/OS:
'opensc' package(s) on Debian 10.

Solution:
Please install the updated package(s).

CVSS Score:
7.2

CVSS Vector:
AV:L/AC:L/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2023-40660
RHBZ#2240912
https://bugzilla.redhat.com/show_bug.cgi?id=2240912
RHSA-2023:7876
https://access.redhat.com/errata/RHSA-2023:7876
RHSA-2023:7879
https://access.redhat.com/errata/RHSA-2023:7879
http://www.openwall.com/lists/oss-security/2023/12/13/2
https://access.redhat.com/security/cve/CVE-2023-40660
https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651
https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1
https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories
https://lists.debian.org/debian-lts-announce/2023/11/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/
Common Vulnerability Exposure (CVE) ID: CVE-2023-40661
RHBZ#2240913
https://bugzilla.redhat.com/show_bug.cgi?id=2240913
http://www.openwall.com/lists/oss-security/2023/12/13/3
https://access.redhat.com/security/cve/CVE-2023-40661

Copyright Copyright (C) 2023 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.1.2.2023.3668
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DLA-3668-1)
Summary:	The remote host is missing an update for the Debian 'opensc' package(s) announced via the DLA-3668-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'opensc' package(s) announced via the DLA-3668-1 advisory. Vulnerability Insight: Vulnerabilities were found in opensc, a set of libraries and utilities to access smart cards, which could lead to application crash or authentication bypass. CVE-2023-40660 When the token/card was plugged into the computer and authenticated from one process, it could be used to provide cryptographic operations from different process when the empty, zero-length PIN and the token can track the login status using some of its internals. This is dangerous for OS logon/screen unlock and small tokens that are plugged permanently to the computer. The bypass was removed and explicit logout implemented for most of the card drivers to prevent leaving unattended logged-in tokens. CVE-2023-40661 This advisory summarizes automatically reported issues from dynamic analyzers reports in pkcs15-init that are security relevant. stack buffer overflow in sc_pkcs15_get_lastupdate() in pkcs15init, heap buffer overflow in setcos_create_key() in pkcs15init, heap buffer overflow in cosm_new_file() in pkcs15init, stack buffer overflow in cflex_delete_file() in pkcs15init, heap buffer overflow in sc_hsm_write_ef() in pkcs15init, stack buffer overflow while parsing pkcs15 profile files, stack buffer overflow in muscle driver in pkcs15init, and stack buffer overflow in cardos driver in pkcs15init. All of these require physical access to the computer at the time user or administrator would be enrolling the cards (generating keys and loading certificates, other card/token management) operations. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity. This issue is not exploitable just by using a PKCS#11 module as done in most of the end-user deployments. For Debian 10 buster, these problems have been fixed in version 0.19.0-1+deb10u3. We recommend that you upgrade your opensc packages. For the detailed security status of opensc please refer to its security tracker page at: [link moved to references] Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references] Affected Software/OS: 'opensc' package(s) on Debian 10. Solution: Please install the updated package(s). CVSS Score: 7.2 CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2023-40660 RHBZ#2240912 https://bugzilla.redhat.com/show_bug.cgi?id=2240912 RHSA-2023:7876 https://access.redhat.com/errata/RHSA-2023:7876 RHSA-2023:7879 https://access.redhat.com/errata/RHSA-2023:7879 http://www.openwall.com/lists/oss-security/2023/12/13/2 https://access.redhat.com/security/cve/CVE-2023-40660 https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651 https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1 https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories https://lists.debian.org/debian-lts-announce/2023/11/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/ Common Vulnerability Exposure (CVE) ID: CVE-2023-40661 RHBZ#2240913 https://bugzilla.redhat.com/show_bug.cgi?id=2240913 http://www.openwall.com/lists/oss-security/2023/12/13/3 https://access.redhat.com/security/cve/CVE-2023-40661
Copyright	Copyright (C) 2023 Greenbone AG