Bug 457367 (CVE-2008-2235)

Summary: CVE-2008-2235, CVE-2008-3972 opensc: incorrect initialization of Siemens CardOS M4 smart cards
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: tmraz, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-15 20:51:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Upstream patch to be included in 0.11.5 none

Description Tomas Hoger 2008-07-31 08:00:23 UTC 
Andreas Jellinghaus, upstream maintainer for OpenSC, notified us of the opensc
security issue discovered by Chaskiel M Grundman.

Quoting text of upcoming upstream advisory:

All versions of OpenSC prior to 0.11.5 initialized smart cards
with Siemens CardOS M4 card operating system without proper
access right: the ADMIN file control information in the 5015
directory on the smart card was left to 00 (all access allowed).

With this bug anyone can change a user PIN without having the PIN
or PUK or the superusers PIN or PUK. However it can not be used
to figure out the PIN. Thus if the PIN on your card is still the
same you always had, then you can be sure, that noone exploited
this vulnerability.

This vulnerability affects only smart cards and usb crypto tokens
based on Siemens CardOS M4, and within that group only those that
were initialized with OpenSC.

Users of other smart cards and usb crypto tokens are not affected.
Users of Siemens CardOS M4 based smart cards and crypto tokens are
not affected, if the card was initialized with some software other
than OpenSC.
Comment 1 Tomas Hoger 2008-07-31 08:01:36 UTC 
Created attachment 313076 [details]
Upstream patch to be included in 0.11.5
Comment 2 Tomas Hoger 2008-07-31 15:50:49 UTC 
Public now via:

http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html
Comment 3 Tomas Hoger 2008-09-02 08:48:18 UTC 
Upstream advisory was updated on 2008-08-27 to fix an issue in the pkcs15-tool in the new functionality added in 0.11.5.  It did not properly identify all smart cards initialized by the vulnerable version of opensc.  This problem in pkcs15-tool was addressed upstream in version 0.11.6.

References:
http://www.opensc-project.org/pipermail/opensc-announce/2008-August/000021.html
http://www.openwall.com/lists/oss-security/2008/08/27/1
Comment 4 Tomas Mraz 2008-09-02 15:44:54 UTC 
Fixed in rawhide with upgrade to 0.11.6.
Comment 5 Tomas Hoger 2008-09-11 06:30:08 UTC 
Issue mentioned in comment #3 is now known also known as CVE-2008-3972:

pkcs15-tool in OpenSC before 0.11.6 does not apply security updates to
a smart card unless the card's label matches the "OpenSC" string,
which might allow physically proximate attackers to exploit
vulnerabilities that the card owner expected were patched, as
demonstrated by exploitation of CVE-2008-2235.
Comment 6 Fedora Update System 2009-03-03 12:27:57 UTC 
opensc-0.11.7-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/opensc-0.11.7-1.fc9
Comment 7 Fedora Update System 2009-03-18 19:03:10 UTC 
opensc-0.11.7-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.