SUSE update for opensc
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2024-45615 CVE-2024-45616 CVE-2024-45617 CVE-2024-45618 CVE-2024-45619 CVE-2024-45620 CVE-2024-8443 |
| CWE-ID | CWE-909 CWE-908 CWE-119 CWE-122 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Server for SAP Applications 12 Operating systems & Components / Operating system SUSE Linux Enterprise Server 12 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 12 Operating systems & Components / Operating system opensc-debuginfo Operating systems & Components / Operating system package or component opensc Operating systems & Components / Operating system package or component opensc-debugsource Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Missing initialization of resource
EUVDB-ID: #VU98501
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-45615
CWE-ID:
CWE-909 - Missing initialization of resource
Exploit availability: No
DescriptionThe vulnerability allows an attacker to escalate privileges on the system.
The vulnerability exists due to missing initialization in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker with physical access to the system can use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.
MitigationUpdate the affected package opensc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
opensc-debuginfo: before 0.13.0-3.31.1
opensc: before 0.13.0-3.31.1
opensc-debugsource: before 0.13.0-3.31.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensc-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc-debugsource:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use of uninitialized resource
EUVDB-ID: #VU98502
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-45616
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows an attacker to bypass certain security restrictions.
The vulnerability exists due to usage of uninitialized resources in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker with physical access to the system can use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.
MitigationUpdate the affected package opensc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
opensc-debuginfo: before 0.13.0-3.31.1
opensc: before 0.13.0-3.31.1
opensc-debugsource: before 0.13.0-3.31.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensc-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc-debugsource:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use of uninitialized resource
EUVDB-ID: #VU98503
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-45617
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows an attacker to bypass certain security restrictions.
The vulnerability exists due to usage of uninitialized resources in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker with physical access to the system can use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.
MitigationUpdate the affected package opensc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
opensc-debuginfo: before 0.13.0-3.31.1
opensc: before 0.13.0-3.31.1
opensc-debugsource: before 0.13.0-3.31.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensc-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc-debugsource:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use of uninitialized resource
EUVDB-ID: #VU98504
Risk: Low
CVSSv4.0: 0.1 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-45618
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows an attacker to bypass certain security restrictions.
The vulnerability exists due to usage of uninitialized resources in pkcs15-init in OpenSC. An attacker with physical access to the system can use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.
MitigationUpdate the affected package opensc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
opensc-debuginfo: before 0.13.0-3.31.1
opensc: before 0.13.0-3.31.1
opensc-debugsource: before 0.13.0-3.31.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensc-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc-debugsource:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use of uninitialized resource
EUVDB-ID: #VU98505
Risk: Low
CVSSv4.0: 0.1 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-45619
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows an attacker to bypass certain security restrictions.
The vulnerability exists due to usage of uninitialized resources in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker with physical access to the system can use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.
MitigationUpdate the affected package opensc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
opensc-debuginfo: before 0.13.0-3.31.1
opensc: before 0.13.0-3.31.1
opensc-debugsource: before 0.13.0-3.31.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensc-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc-debugsource:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Buffer overflow
EUVDB-ID: #VU98506
Risk: Low
CVSSv4.0: 0.1 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-45620
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to a boundary error in the pkcs15-init tool in OpenSC. An attacker with physical access to the system can use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.
MitigationUpdate the affected package opensc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
opensc-debuginfo: before 0.13.0-3.31.1
opensc: before 0.13.0-3.31.1
opensc-debugsource: before 0.13.0-3.31.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensc-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc-debugsource:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Heap-based buffer overflow
EUVDB-ID: #VU98507
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-8443
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to a boundary error in the libopensc OpenPGP driver. An attacker with physical access to the system can use a crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the pkcs15-init tool to trigger an out-of-bound rights, possibly resulting in arbitrary code execution.
Update the affected package opensc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
opensc-debuginfo: before 0.13.0-3.31.1
opensc: before 0.13.0-3.31.1
opensc-debugsource: before 0.13.0-3.31.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensc-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:opensc-debugsource:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
