Bug 457367 (CVE-2008-2235) - CVE-2008-2235, CVE-2008-3972 opensc: incorrect initialization of Siemens CardOS M4 smart cards
Summary: CVE-2008-2235, CVE-2008-3972 opensc: incorrect initialization of Siemens Card...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-2235
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-31 08:00 UTC by Tomas Hoger
Modified: 2019-09-29 12:25 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-15 20:51:41 UTC
Embargoed:

Attachments (Terms of Use)
Upstream patch to be included in 0.11.5 (7.53 KB, patch)
2008-07-31 08:01 UTC, Tomas Hoger 		no flags Details | Diff
View All

Description Tomas Hoger 2008-07-31 08:00:23 UTC 
Andreas Jellinghaus, upstream maintainer for OpenSC, notified us of the opensc
security issue discovered by Chaskiel M Grundman.

Quoting text of upcoming upstream advisory:

All versions of OpenSC prior to 0.11.5 initialized smart cards
with Siemens CardOS M4 card operating system without proper
access right: the ADMIN file control information in the 5015
directory on the smart card was left to 00 (all access allowed).

With this bug anyone can change a user PIN without having the PIN
or PUK or the superusers PIN or PUK. However it can not be used
to figure out the PIN. Thus if the PIN on your card is still the
same you always had, then you can be sure, that noone exploited
this vulnerability.

This vulnerability affects only smart cards and usb crypto tokens
based on Siemens CardOS M4, and within that group only those that
were initialized with OpenSC.

Users of other smart cards and usb crypto tokens are not affected.
Users of Siemens CardOS M4 based smart cards and crypto tokens are
not affected, if the card was initialized with some software other
than OpenSC.
Comment 1 Tomas Hoger 2008-07-31 08:01:36 UTC 
Created attachment 313076 [details]
Upstream patch to be included in 0.11.5
Comment 2 Tomas Hoger 2008-07-31 15:50:49 UTC 
Public now via:

http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html
Comment 3 Tomas Hoger 2008-09-02 08:48:18 UTC 
Upstream advisory was updated on 2008-08-27 to fix an issue in the pkcs15-tool in the new functionality added in 0.11.5.  It did not properly identify all smart cards initialized by the vulnerable version of opensc.  This problem in pkcs15-tool was addressed upstream in version 0.11.6.

References:
http://www.opensc-project.org/pipermail/opensc-announce/2008-August/000021.html
http://www.openwall.com/lists/oss-security/2008/08/27/1
Comment 4 Tomas Mraz 2008-09-02 15:44:54 UTC 
Fixed in rawhide with upgrade to 0.11.6.
Comment 5 Tomas Hoger 2008-09-11 06:30:08 UTC 
Issue mentioned in comment #3 is now known also known as CVE-2008-3972:

pkcs15-tool in OpenSC before 0.11.6 does not apply security updates to
a smart card unless the card's label matches the "OpenSC" string,
which might allow physically proximate attackers to exploit
vulnerabilities that the card owner expected were patched, as
demonstrated by exploitation of CVE-2008-2235.
Comment 6 Fedora Update System 2009-03-03 12:27:57 UTC 
opensc-0.11.7-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/opensc-0.11.7-1.fc9
Comment 7 Fedora Update System 2009-03-18 19:03:10 UTC 
opensc-0.11.7-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.