opensc-0.20.0-7.el8_9
エラータID: AXSA:2024-7353:02
リリース日:
2024/01/11 Thursday - 02:08
題名:
opensc-0.20.0-7.el8_9
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- OpenSC には、あるプロセスによってトークンもしくはカードが
認証された際に、他のプロセスからの暗号化操作も可能としてしまう
問題があるため、物理的にマシンからの認証操作が可能な攻撃者に
より、細工された空の PIN の引き渡しを介して、不正な認証を可能
とする脆弱性が存在します。(CVE-2023-40660)
- OpenSC には、ユーザーや管理者がカードを登録する際の
pkcs15-init を用いたカードの登録処理に問題があるため、物理的
にマシンへのアクセスが可能な攻撃者により、巧妙に細工された
USB デバイスまたはスマートカードを用いたレスポンス APDU
の操作を介して、鍵の生成や証明書のロード、その他のカード
登録中のカード管理操作の侵害を可能とする脆弱性が存在します。
(CVE-2023-40661)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-40660
A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.
A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.
CVE-2023-40661
Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow compromise key generation, certificate loading, and other card management operations during enrollment.
Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow compromise key generation, certificate loading, and other card management operations during enrollment.
追加情報:
N/A
ダウンロード:
SRPMS
- opensc-0.20.0-7.el8_9.src.rpm
MD5: 04012ae214147a5f826eb9692c260d51
SHA-256: f2f19681197ca39c1c4d8727bfda69fde1a2cc61be863108060359f89d6769f4
Size: 2.14 MB
Asianux Server 8 for x86_64
- opensc-0.20.0-7.el8_9.i686.rpm
MD5: 95cb09e6b25052528cc591574a773d82
SHA-256: 76eca649f9bb98a58eb2f88a8c089f1e5d4fc723184f8f712db3d44b720260b0
Size: 1.29 MB - opensc-0.20.0-7.el8_9.x86_64.rpm
MD5: 2c6785338109e4b000a02f464228f739
SHA-256: a255f3fd10d2d97a8d3aae304b3eaf825eb8aac14f294b061e83131d1538f328
Size: 1.27 MB