Bug 1215762 (CVE-2023-40660) - VUL-0: CVE-2023-40660: opensc: PIN bypass when card tracks its own login state
Summary: VUL-0: CVE-2023-40660: opensc: PIN bypass when card tracks its own login state
Status: RESOLVED FIXED
Alias: CVE-2023-40660
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/379872/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-40660:7.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-27 12:09 UTC by SMASH SMASH
Modified: 2023-10-23 07:00 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-09-27 12:09:00 UTC 
When the token/card was plugged into the computer and authenticated from one process, it could be used to provide cryptographic operations from different process when the empty, zero-length PIN and the token can track the login status using some of its internals. This is dangerous for OS logon/screen unlock and small tokens that are plugged permanently to the computer. The bypass was removed and OpenSC implemented explicit logout for most of the card drivers to prevent leaving unattended logged-in tokens

Affected versions: OpenSC 0.17.0 - 0.23.0

https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651
https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories
https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40660
https://bugzilla.redhat.com/show_bug.cgi?id=2240912
Comment 2 Otto Hollmann 2023-10-05 14:40:17 UTC 
Patches were backported and are ready in my home branch. I will submit them once I finish CVE-2023-40661

Codestream SUSE:SLE-15:Update/opensc is affected but no longer supported.
Comment 3 Otto Hollmann 2023-10-10 13:57:59 UTC 
Submitted here:
> openSUSE:Factory    https://build.opensuse.org/request/show/1116670
> SLE-15-SP4_Update   https://build.suse.de/request/show/310044
> SLE-15-SP1_Update   https://build.suse.de/request/show/310046

ALP will be submitted once above request will be accepted in Factory.
Comment 4 Otto Hollmann 2023-10-11 09:01:04 UTC 
> Codestream                   Request
> ------------------------------------------------------------------------
> openSUSE:Factory             https://build.opensuse.org/request/show/1116670
> SUSE:ALP:Source:Standard:1.0 https://build.suse.de/request/show/310145
> SLE-15-SP4_Update            https://build.suse.de/request/show/310044
> SLE-15-SP1_Update            https://build.suse.de/request/show/310046
> SLE-12_Update                not affected

Assigning back to security team
Comment 5 Maintenance Automation 2023-10-16 12:30:01 UTC 
SUSE-SU-2023:4089-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215761, 1215762
CVE References: CVE-2023-40660, CVE-2023-40661
Sources used:
SUSE Linux Enterprise Micro for Rancher 5.3 (src): opensc-0.22.0-150400.3.6.1
SUSE Linux Enterprise Micro 5.3 (src): opensc-0.22.0-150400.3.6.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): opensc-0.22.0-150400.3.6.1
SUSE Linux Enterprise Micro 5.4 (src): opensc-0.22.0-150400.3.6.1
SUSE Linux Enterprise Micro 5.5 (src): opensc-0.22.0-150400.3.6.1
Basesystem Module 15-SP4 (src): opensc-0.22.0-150400.3.6.1
Basesystem Module 15-SP5 (src): opensc-0.22.0-150400.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-10-17 16:30:02 UTC 
SUSE-SU-2023:4104-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215761, 1215762
CVE References: CVE-2023-40660, CVE-2023-40661
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): opensc-0.19.0-150100.3.25.1
SUSE Manager Proxy 4.2 (src): opensc-0.19.0-150100.3.25.1
SUSE Manager Retail Branch Server 4.2 (src): opensc-0.19.0-150100.3.25.1
SUSE Manager Server 4.2 (src): opensc-0.19.0-150100.3.25.1
SUSE Enterprise Storage 7.1 (src): opensc-0.19.0-150100.3.25.1
SUSE CaaS Platform 4.0 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Micro 5.1 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Micro 5.2 (src): opensc-0.19.0-150100.3.25.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): opensc-0.19.0-150100.3.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.