opensc-0.23.0-3.el9_3
エラータID: AXSA:2024-7337:01
リリース日:
2024/01/10 Wednesday - 04:30
題名:
opensc-0.23.0-3.el9_3
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- OpenSC には、あるプロセスによってトークンもしくはカードが認証
された際に、他のプロセスからの暗号化操作も可能としてしまう問題が
あるため、物理的にマシンからの認証操作が可能な攻撃者により、細工
された空の PIN の引き渡しを介して、不正な認証を可能とする脆弱性
が存在します。(CVE-2023-40660)
- OpenSC には、ユーザーや管理者がカードを登録する際の pkcs15-init
を用いたカードの登録処理に問題があるため、物理的にマシンへのアクセス
が可能な攻撃者により、巧妙に細工された USB デバイスまたはスマート
カードを用いたレスポンス APDU の操作を介して、鍵の生成や証明書の
ロード、その他のカード登録中のカード管理操作の侵害を可能とする
脆弱性が存在します。(CVE-2023-40661)
- OpenSC の MyEID ドライバには、対称鍵暗号化の処理において境界外
読み取りが発生する問題があるため、物理的にマシンへのアクセスが
可能な攻撃者により、巧妙に細工された USB デバイスまたはスマート
カードを用いたレスポンス APDU の操作を介して、許可されていない機密
情報へのアクセスを可能とする脆弱性が存在します。(CVE-2023-4535)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-40660
A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.
A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.
CVE-2023-40661
Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow compromise key generation, certificate loading, and other card management operations during enrollment.
Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow compromise key generation, certificate loading, and other card management operations during enrollment.
CVE-2023-4535
An out-of-bounds read vulnerability was found in OpenSC packages within the MyEID driver when handling symmetric key encryption. Exploiting this flaw requires an attacker to have physical access to the computer and a specially crafted USB device or smart card. This flaw allows the attacker to manipulate APDU responses and potentially gain unauthorized access to sensitive data, compromising the system's security.
An out-of-bounds read vulnerability was found in OpenSC packages within the MyEID driver when handling symmetric key encryption. Exploiting this flaw requires an attacker to have physical access to the computer and a specially crafted USB device or smart card. This flaw allows the attacker to manipulate APDU responses and potentially gain unauthorized access to sensitive data, compromising the system's security.
追加情報:
N/A
ダウンロード:
SRPMS
- opensc-0.23.0-3.el9_3.src.rpm
MD5: 34f3deba1e806afba258d5db19748a7f
SHA-256: 59993eed3452b413107a351ebb6dd926f082f643946ba384b1368f6ed4ad6222
Size: 2.32 MB
Asianux Server 9 for x86_64
- opensc-0.23.0-3.el9_3.i686.rpm
MD5: e4a5565ef78c945c50e22b81bc3cbc66
SHA-256: 212bc17bd200366de24d4cae68046fe61800e6f3ecef948e0695af0866be66b3
Size: 1.26 MB - opensc-0.23.0-3.el9_3.x86_64.rpm
MD5: 06062b8dfa2621ce99de61525f53394d
SHA-256: b634b41823a1e7a74760ddbd170cbf2f13e82310cb7a8f5cfe3bdc7ef4afe806
Size: 1.27 MB