Bug 1215763 (CVE-2023-4535)

Summary: VUL-0: CVE-2023-4535: opensc: out-of-bounds read in MyEID driver handling encryption using symmetric keys
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: rfrohl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/379874/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-4535:3.1:(AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-09-27 12:09:40 UTC 
An out-of-bounds read in MyEID driver handling encryption using symmetric keys. An attacker with physical access to the computer running opensc and crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity.

This issue is in the code handling symmetric keys, which are not widely used for example for desktop login so most of the deployments are not affected.

https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651
https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories
https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4535
https://bugzilla.redhat.com/show_bug.cgi?id=2240914
Comment 3 Otto Hollmann 2023-10-05 14:03:00 UTC 
I agree that this issue is fixed with commit f1993dc4e0b33050b8f72a3558ee88b24c4063b2 (myeid: fixed CID 380538 Out-of-bounds read (OVERRUN)) and was introduced by c852236e8368b47b38d89b1b7fb2dbd78753e109 (MyEID driver: support for symmetric crypt). The whole function/functionality is missing in versions before that commit.

So only 0.23.0 should be affected. I would say it's a copy-paste error if they are mentioning affected versions: OpenSC 0.17.0 - 0.23.0.

Patch is ready in my branch and will be submitted with other CVEs soon.
Comment 4 Otto Hollmann 2023-10-10 13:50:13 UTC 
Submitted here:
> https://build.opensuse.org/request/show/1116670
ALP submission will continue once this one will be accepted.
Comment 5 Otto Hollmann 2023-10-11 09:01:23 UTC 
> Codestream                   Request
> ------------------------------------------------------------------------
> openSUSE:Factory             https://build.opensuse.org/request/show/1116670
> SUSE:ALP:Source:Standard:1.0 https://build.suse.de/request/show/310145
> SLE-15-SP4_Update            not affected
> SLE-15-SP1_Update            not affected
> SLE-12_Update                not affected

Assigning back to security team
Comment 6 Gabriele Sonnu 2024-06-10 12:43:04 UTC 
All done, closing.