Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 31 Jul 2008 17:15:22 +0200
From: Andreas Jellinghaus <aj@...geon.inka.de>
To: vendor-sec@....de
Cc: oss-security@...ts.openwall.com
Subject: OpenSC Security Advisory

OpenSC Security Advisory [31-Jul-2008]

OpenSC initializes CardOS cards with improper access rights
-----------------------------------------------------------

Chaskiel M Grundman found a security vulnerability in OpenSC.
The vulnerability has been fixed in OpenSC 0.11.5.
In Mitre's CVE dictionary this issue is filed under CVE-2008-2235.
Users will need to run "pkcs15-tool -T -U" to test (-T) and 
update (-U) the security settings on their card.

All versions of OpenSC prior to 0.11.5 initialized smart cards
with Siemens CardOS M4 card operating system without proper
access right: the ADMIN file control information in the 5015
directory on the smart card was left to 00 (all access allowed).

With this bug anyone can change a user PIN without having the PIN
or PUK or the superusers PIN or PUK. However it can not be used
to figure out the PIN. Thus if the PIN on your card is still the
same you always had, then you can be sure, that noone exploited
this vulnerability.

This vulnerability affects only smart cards and usb crypto tokens
based on Siemens CardOS M4, and within that group only those that
were initialized with OpenSC.

Users of other smart cards and usb crypto tokens are not affected.
Users of Siemens CardOS M4 based smart cards and crypto tokens are
not affected, if the card was initialized with some software other
than OpenSC.

The new version of OpenSC implements a simple way to verify if a
card is affected or not:
	pkcs15-tool has now two new options:
  --test-update, -T             Test if the card needs a security update
  --update, -U                  Update the card with a security update

Running
	pkcs15-tool -T
will either show
	fci is up-to-date, card is fine
or 
	fci is out-off-date, card is vulnerable

If the card is vulnerable, please update the security setting using:
	pkcs15-tool -T -U
this will show:
	fci is out-off-date, card is vulnerable
	security update applied with success.


Our Mac OS X Installer Package "SCA" is also affected by this vulnerability:
Version 0.2.2 and earleir are vulnerable. A new version 0.2.3 including this
fix will soon be available at
		http://www.opensc-project.org/

Our Windows Installer Package "SCB" is also affected by this vulnerability:
All versions are affected. We don't have any windows developer left, so right
now noone can update this package. But new windows binaries build using mingw
will be soon available at
		http://www.opensc-project.org/files/build/

--cut--

attached is a patch distributions can apply instead of updating to the new 
version. still users will need to run "pkcs15-tool -T -U" for all their smart 
cards and usb crypto tokens (only those based on "Siemens CardOS M4" and 
initialized with OpenSC), please let them know.

Regards, Andreas

View attachment "advisory.diff" of type "text/x-diff" (8539 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.