SB2024030577 - Anolis OS update for opensc
Published: March 5, 2024 Updated: March 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Cryptographic issues (CVE-ID: CVE-2023-5992)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the PKCS#1 encryption padding removal is not implemented as side-channel resistant. A remote attacker can gain access to sensitive data.
2) Improper Authorization (CVE-ID: CVE-2023-40660)
The vulnerability allows an attacker to bypass authorization process.
The vulnerability exists due to a logic error in the authorization process. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. An attacker with physical proximity to the system can bypass the OS logon/screen for small permanently connected tokens to computers.
3) Buffer overflow (CVE-ID: CVE-2023-40661)
The vulnerability allows an attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. An attacker with physical access to the system can trigger memory corruption and execute arbitrary code with elevated privileges.
Remediation
Install update from vendor's website.