#VU98503 Use of uninitialized resource in OpenSC - CVE-2024-45617
Vulnerability identifier: #VU98503
Vulnerability risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-908
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
OpenSC
Universal components / Libraries /
Libraries used by multiple products
Vendor: OpenSC
Description
The vulnerability allows an attacker to bypass certain security restrictions.
The vulnerability exists due to usage of uninitialized resources in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker with physical access to the system can use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
OpenSC: 0.11.9 - 0.25.1
External links
https://bugzilla.redhat.com/show_bug.cgi?id=2309286
https://github.com/OpenSC/OpenSC/releases/tag/0.26.0-rc1
https://github.com/advisories/GHSA-cf2w-h975-2fpg
https://github.com/OpenSC/OpenSC/pull/3225
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
