Bug 1837946 (CVE-2019-20792)
Summary: | CVE-2019-20792 opensc: Double free in coolkey_free_private_data in libopensc/card-coolkey.c | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | crypto-team, gmazyland, jjelen, klember, nmavrogi, tmraz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | opensc 0.20.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A use-after-free vulnerability was discovered in OpenSC while disconnecting a smart card. This flaw allows a physical attacker to exploit this vulnerability by inserting and removing a malicious smart card, handled by the coolkey driver, that could potentially execute code on the target system, with privileges that depend on the particular configuration and system that makes use of the OpenSC library.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-04 02:25:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1837948, 1838182, 1838709, 1838710, 1838711, 1838712, 1838713, 1838714, 1841494 | ||
Bug Blocks: | 1837950 |
Description
Marian Rehak
2020-05-20 09:12:36 UTC
Created opensc tracking bugs for this issue: Affects: fedora-30 [bug 1837948] Created opensc tracking bugs for this issue: Affects: epel-all [bug 1838182] Function coolkey_free_private_data() iterates over all elements in coolkey_private_data_t.objects_list, freeing the `data` field. However, it may happen that two items in the list have the same `data` value, thus causing the double free when the second element is freed. If coolkey_add_object() is called multiple times with the same `object_id`, when an object `data` is filled with coolkey_fill_object() it may sets the same value on multiple objects in the list. The issue is fixed by ensuring that there is only one unique element for a given object_id value. The double-free can be triggered only during clean-up of the smart card structures and an attack would very likely require multiple attempts due to the various protections used in Red Hat Enterprise Linux and Fedora (e.g. ASLR), which would mean an attacker has to remove and re-insert the malicious smart card multiple times to actually exploit the system. When such attacks fail, this would result just in a segmentation fault with no security consequences. Considering the above reasons, I am increasing the Attack Complexity to High (AC:H) in the CVSSv3 score and downgrading the Impact of this flaw to Moderate, as they make the flaw much harder to exploit. Mitigation: If the coolkey driver is not necessary for the configuration and system in use, it is possible to disable it by not listing it in the /etc/opensc.conf file. For example: ``` app default { card_drivers = cac, cac1, PIV-II; } ``` This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4483 https://access.redhat.com/errata/RHSA-2020:4483 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20792 |