opensc-0.23.0-3.el9_3

エラータID: AXSA:2024-7337:01

Release date: 
Wednesday, January 10, 2024 - 04:30
Subject: 
opensc-0.23.0-3.el9_3
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The OpenSC set of libraries and utilities provides support for working with
smart cards. OpenSC focuses on cards that support cryptographic operations and
enables their use for authentication, mail encryption, or digital signatures.

Security Fix(es):

OpenSC: Potential PIN bypass when card tracks its own login state
(CVE-2023-40660)
OpenSC: multiple memory issues with pkcs15-init (enrollment tool)
(CVE-2023-40661)
OpenSC: out-of-bounds read in MyEID driver handling encryption using
symmetric keys (CVE-2023-4535)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE(s):
CVE-2023-4535
CVE-2023-40660
CVE-2023-40661

Solution: 

Update packages.

CVEs: 
CVE-2023-40660
A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.
CVE-2023-40661
Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow compromise key generation, certificate loading, and other card management operations during enrollment.
CVE-2023-4535
An out-of-bounds read vulnerability was found in OpenSC packages within the MyEID driver when handling symmetric key encryption. Exploiting this flaw requires an attacker to have physical access to the computer and a specially crafted USB device or smart card. This flaw allows the attacker to manipulate APDU responses and potentially gain unauthorized access to sensitive data, compromising the system's security.
Additional Info: 

N/A

Download: 

SRPMS
  1. opensc-0.23.0-3.el9_3.src.rpm
    MD5: 34f3deba1e806afba258d5db19748a7f
    SHA-256: 59993eed3452b413107a351ebb6dd926f082f643946ba384b1368f6ed4ad6222
    Size: 2.32 MB

Asianux Server 9 for x86_64
  1. opensc-0.23.0-3.el9_3.i686.rpm
    MD5: e4a5565ef78c945c50e22b81bc3cbc66
    SHA-256: 212bc17bd200366de24d4cae68046fe61800e6f3ecef948e0695af0866be66b3
    Size: 1.26 MB
  2. opensc-0.23.0-3.el9_3.x86_64.rpm
    MD5: 06062b8dfa2621ce99de61525f53394d
    SHA-256: b634b41823a1e7a74760ddbd170cbf2f13e82310cb7a8f5cfe3bdc7ef4afe806
    Size: 1.27 MB