Bugzilla – Bug 1215761
VUL-0: CVE-2023-40661: opensc: multiple memory issues with pkcs15-init (enrollment tool)
Last modified: 2023-11-06 04:25:17 UTC
Several memory issues that are security relevant that were reported since the release of OpenSC 0.23.0 and that are relevant to the handling the card enrollment process using pkcs15-init. All of these require physical access to the computer at the time user or administrator would be enrolling the cards (generating keys and loading certificates, other card/token management) operations. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity. This issue is not exploitable just by using a PKCS#11 module as done in most of the end-user deployments. https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651 https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40661 https://bugzilla.redhat.com/show_bug.cgi?id=2240913
taking input from the RH bug the commits are: > * Stack buffer overflow in sc_pkcs15_get_lastupdate in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769 > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60527 > -> 245efe608d083fd4e4ec96793fdefd218e26fde7 > * Heap buffer overflow in setcos_create_key in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672 > -> 440ca666eff10cc7011901252d20f3fc4ea23651 > * Heap buffer overflow in cosm_new_file in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650 > -> ce7fcdaa35196706a83fe982900228e15464f928 and 41d61da8481582e12710b5858f8b635e0a71ab5e > * Heap double free in sc_pkcs15_free_object_content > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60616 > -> 638a5007a5d240d6fa901aa822cfeef94fe36e85 > * Stack buffer overflow in cflex_delete_file in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932 > -> c449a181a6988cc1e8dc8764d23574e48cdc3fa6 > * Heap buffer overflow in sc_hsm_write_ef in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56213 > -> could not locate > * Stack buffer overflow while parsing pkcs15 profile files > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998 > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851 > -> 5631e9843c832a99769def85b7b9b68b4e3e3959 > * Stack buffer overflow in muscle driver in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312 -> df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1 > > * Stack buffer overflow in cardos driver in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927 -> 578aed8391ef117ca64a9e0cba8e5c264368a0ec There are though 47 references to oss-fuzz in general. Maybe better to do a full version update ?
Unfortunately there is only 0.24.0-rc release and at least some issues seems to affect versions before 0.23.0 (so even SLES is affected). So I will investigate which versions are affected and how to fix them. I verified that above commit id's are correct/sufficient to resolve issue according to changelog.
(In reply to Robert Frohl from comment #1) > > * Heap buffer overflow in sc_hsm_write_ef in pkcs15init > > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56213 > > > > -> could not locate > It's this commit: dd138d0600a1acd7991989127f36827e5836b24e I will backport it on Monday, everything else is done.
Submitted here: > openSUSE:Factory https://build.opensuse.org/request/show/1116670 > SLE-15-SP4_Update https://build.suse.de/request/show/310044 > SLE-15-SP1_Update https://build.suse.de/request/show/310046 > SLE-12_Update https://build.suse.de/request/show/310048 ALP will be submitted once above request will be accepted in Factory. SLE15-SP1 and SLE-12_Update were only partially affected, see list below: > * Stack buffer overflow in sc_pkcs15_get_lastupdate in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769 > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60527 > Both SLE15-SP1 and SLE-12_Update were affected. > * Heap buffer overflow in setcos_create_key in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672 > Both SLE15-SP1 and SLE-12_Update were affected. > * Heap buffer overflow in cosm_new_file in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650 > Both SLE15-SP1 and SLE-12_Update were affected. > * Heap double free in sc_pkcs15_free_object_content > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60616 > Neither SLE15-SP1 nor SLE-12_Update was affected. > * Stack buffer overflow in cflex_delete_file in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932 > Both SLE15-SP1 and SLE-12_Update were affected. > * Heap buffer overflow in sc_hsm_write_ef in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56213 > Only SLE15-SP1 was affected. > * Stack buffer overflow while parsing pkcs15 profile files > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998 > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851 > Both SLE15-SP1 and SLE-12_Update were affected. > * Stack buffer overflow in muscle driver in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312 > Both SLE15-SP1 and SLE-12_Update were affected. > * Stack buffer overflow in cardos driver in pkcs15init > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927 > Both SLE15-SP1 and SLE-12_Update were affected.
> Codestream Request > ------------------------------------------------------------------------ > openSUSE:Factory https://build.opensuse.org/request/show/1116670 > SUSE:ALP:Source:Standard:1.0 https://build.suse.de/request/show/310145 > SLE-15-SP4_Update https://build.suse.de/request/show/310044 > SLE-15-SP1_Update https://build.suse.de/request/show/310046 > SLE-12_Update https://build.suse.de/request/show/310136 Assigning back to security team
SUSE-SU-2023:4065-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1191957, 1215761 CVE References: CVE-2021-42782, CVE-2023-40661 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): opensc-0.13.0-3.25.1 SUSE Linux Enterprise Server 12 SP5 (src): opensc-0.13.0-3.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): opensc-0.13.0-3.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4089-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1215761, 1215762 CVE References: CVE-2023-40660, CVE-2023-40661 Sources used: SUSE Linux Enterprise Micro for Rancher 5.3 (src): opensc-0.22.0-150400.3.6.1 SUSE Linux Enterprise Micro 5.3 (src): opensc-0.22.0-150400.3.6.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): opensc-0.22.0-150400.3.6.1 SUSE Linux Enterprise Micro 5.4 (src): opensc-0.22.0-150400.3.6.1 SUSE Linux Enterprise Micro 5.5 (src): opensc-0.22.0-150400.3.6.1 Basesystem Module 15-SP4 (src): opensc-0.22.0-150400.3.6.1 Basesystem Module 15-SP5 (src): opensc-0.22.0-150400.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4104-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1215761, 1215762 CVE References: CVE-2023-40660, CVE-2023-40661 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): opensc-0.19.0-150100.3.25.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): opensc-0.19.0-150100.3.25.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): opensc-0.19.0-150100.3.25.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): opensc-0.19.0-150100.3.25.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): opensc-0.19.0-150100.3.25.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): opensc-0.19.0-150100.3.25.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): opensc-0.19.0-150100.3.25.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): opensc-0.19.0-150100.3.25.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): opensc-0.19.0-150100.3.25.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): opensc-0.19.0-150100.3.25.1 SUSE Manager Proxy 4.2 (src): opensc-0.19.0-150100.3.25.1 SUSE Manager Retail Branch Server 4.2 (src): opensc-0.19.0-150100.3.25.1 SUSE Manager Server 4.2 (src): opensc-0.19.0-150100.3.25.1 SUSE Enterprise Storage 7.1 (src): opensc-0.19.0-150100.3.25.1 SUSE CaaS Platform 4.0 (src): opensc-0.19.0-150100.3.25.1 SUSE Linux Enterprise Micro 5.1 (src): opensc-0.19.0-150100.3.25.1 SUSE Linux Enterprise Micro 5.2 (src): opensc-0.19.0-150100.3.25.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): opensc-0.19.0-150100.3.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.