Libopensc: uninitialized values after incorrect check or usage of apdu response values in libopensc

CVE-2024-45616

3.9LOW

Key Information

Vendor: Red Hat
Status: Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9
Vendor: CVE Published:; 3 September 2024

Summary

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card.

CVSS V3.1

Score:

3.9

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Physical

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 3.9 - (LOW)
Sep 14, 2024
Vulnerability published.
Sep 3, 2024
Reported to Red Hat.
Sep 2, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Matteo Marini (Sapienza University of Rome) for reporting this issue.