Bug 1215761 (CVE-2023-40661)

Summary: VUL-0: CVE-2023-40661: opensc: multiple memory issues with pkcs15-init (enrollment tool)
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: rfrohl, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/379873/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-40661:5.4:(AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-09-27 12:03:33 UTC 
Several memory issues that are security relevant that were reported since the release of OpenSC 0.23.0 and that are relevant to the handling the card enrollment process using pkcs15-init.

All of these require physical access to the computer at the time user or administrator would be enrolling the cards (generating keys and loading certificates, other card/token management) operations. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity. This issue is not exploitable just by using a PKCS#11 module as done in most of the end-user deployments.

https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651
https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories
https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40661
https://bugzilla.redhat.com/show_bug.cgi?id=2240913
Comment 1 Robert Frohl 2023-09-27 13:05:50 UTC 
taking input from the RH bug the commits are:

> * Stack buffer overflow in sc_pkcs15_get_lastupdate in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769 
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60527
> 

-> 245efe608d083fd4e4ec96793fdefd218e26fde7

>  * Heap buffer overflow in setcos_create_key in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672 
> 

-> 440ca666eff10cc7011901252d20f3fc4ea23651

>  * Heap buffer overflow in cosm_new_file in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650 
> 

-> ce7fcdaa35196706a83fe982900228e15464f928 and 41d61da8481582e12710b5858f8b635e0a71ab5e

>  * Heap double free in sc_pkcs15_free_object_content
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60616 
> 

-> 638a5007a5d240d6fa901aa822cfeef94fe36e85

>  * Stack buffer overflow in cflex_delete_file in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932 
> 

-> c449a181a6988cc1e8dc8764d23574e48cdc3fa6

>  * Heap buffer overflow in sc_hsm_write_ef in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56213 
> 

-> could not locate

>  * Stack buffer overflow while parsing pkcs15 profile files
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998 
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851
> 

-> 5631e9843c832a99769def85b7b9b68b4e3e3959

>  * Stack buffer overflow in muscle driver in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312 

-> df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1

> 
>  * Stack buffer overflow in cardos driver in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927

-> 578aed8391ef117ca64a9e0cba8e5c264368a0ec


There are though 47 references to oss-fuzz in general.

Maybe better to do a full version update ?
Comment 2 Otto Hollmann 2023-09-27 15:04:13 UTC 
Unfortunately there is only 0.24.0-rc release and at least some issues seems to affect versions before 0.23.0 (so even SLES is affected). So I will investigate which versions are affected and how to fix them.

I verified that above commit id's are correct/sufficient to resolve issue according to changelog.
Comment 3 Otto Hollmann 2023-10-06 14:35:27 UTC 
(In reply to Robert Frohl from comment #1)
> >  * Heap buffer overflow in sc_hsm_write_ef in pkcs15init
> > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56213 
> > 
> 
> -> could not locate
> 
It's this commit: dd138d0600a1acd7991989127f36827e5836b24e

I will backport it on Monday, everything else is done.
Comment 4 Otto Hollmann 2023-10-10 14:31:46 UTC 
Submitted here:
> openSUSE:Factory    https://build.opensuse.org/request/show/1116670
> SLE-15-SP4_Update   https://build.suse.de/request/show/310044
> SLE-15-SP1_Update   https://build.suse.de/request/show/310046
> SLE-12_Update       https://build.suse.de/request/show/310048

ALP will be submitted once above request will be accepted in Factory.

SLE15-SP1 and SLE-12_Update were only partially affected, see list below:
> * Stack buffer overflow in sc_pkcs15_get_lastupdate in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769 
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60527
> 
Both SLE15-SP1 and SLE-12_Update were affected.

>  * Heap buffer overflow in setcos_create_key in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672 
> 
Both SLE15-SP1 and SLE-12_Update were affected.

>  * Heap buffer overflow in cosm_new_file in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650 
> 
Both SLE15-SP1 and SLE-12_Update were affected.

>  * Heap double free in sc_pkcs15_free_object_content
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60616 
> 
Neither SLE15-SP1 nor SLE-12_Update was affected.

>  * Stack buffer overflow in cflex_delete_file in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932 
> 
Both SLE15-SP1 and SLE-12_Update were affected.

>  * Heap buffer overflow in sc_hsm_write_ef in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56213 
> 
Only SLE15-SP1 was affected.

>  * Stack buffer overflow while parsing pkcs15 profile files
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998 
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851
> 
Both SLE15-SP1 and SLE-12_Update were affected.

>  * Stack buffer overflow in muscle driver in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312 
> 
Both SLE15-SP1 and SLE-12_Update were affected.

>  * Stack buffer overflow in cardos driver in pkcs15init
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927
> 
Both SLE15-SP1 and SLE-12_Update were affected.
Comment 6 Otto Hollmann 2023-10-11 09:00:41 UTC 
> Codestream                   Request
> ------------------------------------------------------------------------
> openSUSE:Factory             https://build.opensuse.org/request/show/1116670
> SUSE:ALP:Source:Standard:1.0 https://build.suse.de/request/show/310145
> SLE-15-SP4_Update            https://build.suse.de/request/show/310044
> SLE-15-SP1_Update            https://build.suse.de/request/show/310046
> SLE-12_Update                https://build.suse.de/request/show/310136

Assigning back to security team
Comment 7 Maintenance Automation 2023-10-12 12:46:14 UTC 
SUSE-SU-2023:4065-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1191957, 1215761
CVE References: CVE-2021-42782, CVE-2023-40661
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): opensc-0.13.0-3.25.1
SUSE Linux Enterprise Server 12 SP5 (src): opensc-0.13.0-3.25.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): opensc-0.13.0-3.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-10-16 12:30:01 UTC 
SUSE-SU-2023:4089-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215761, 1215762
CVE References: CVE-2023-40660, CVE-2023-40661
Sources used:
SUSE Linux Enterprise Micro for Rancher 5.3 (src): opensc-0.22.0-150400.3.6.1
SUSE Linux Enterprise Micro 5.3 (src): opensc-0.22.0-150400.3.6.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): opensc-0.22.0-150400.3.6.1
SUSE Linux Enterprise Micro 5.4 (src): opensc-0.22.0-150400.3.6.1
SUSE Linux Enterprise Micro 5.5 (src): opensc-0.22.0-150400.3.6.1
Basesystem Module 15-SP4 (src): opensc-0.22.0-150400.3.6.1
Basesystem Module 15-SP5 (src): opensc-0.22.0-150400.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-10-17 16:30:02 UTC 
SUSE-SU-2023:4104-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215761, 1215762
CVE References: CVE-2023-40660, CVE-2023-40661
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): opensc-0.19.0-150100.3.25.1
SUSE Manager Proxy 4.2 (src): opensc-0.19.0-150100.3.25.1
SUSE Manager Retail Branch Server 4.2 (src): opensc-0.19.0-150100.3.25.1
SUSE Manager Server 4.2 (src): opensc-0.19.0-150100.3.25.1
SUSE Enterprise Storage 7.1 (src): opensc-0.19.0-150100.3.25.1
SUSE CaaS Platform 4.0 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Micro 5.1 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Micro 5.2 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): opensc-0.19.0-150100.3.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.