#VU98506 Buffer overflow in OpenSC - CVE-2024-45620
Vulnerability identifier: #VU98506
Vulnerability risk: Low
CVSSv4.0: 0.1 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-119
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
OpenSC
Universal components / Libraries /
Libraries used by multiple products
Vendor: OpenSC
Description
The vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to a boundary error in the pkcs15-init tool in OpenSC. An attacker with physical access to the system can use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
OpenSC: 0.11.9 - 0.25.1
External links
https://bugzilla.redhat.com/show_bug.cgi?id=2309289
https://github.com/OpenSC/OpenSC/releases/tag/0.26.0-rc1
https://github.com/advisories/GHSA-9c2g-6v5v-57qg
https://github.com/OpenSC/OpenSC/pull/3225
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
