Bug 457367 - (CVE-2008-2235) CVE-2008-2235, CVE-2008-3972 opensc: incorrect initialization of Siemens CardOS M4 smart cards
CVE-2008-2235, CVE-2008-3972 opensc: incorrect initialization of Siemens Card...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2008-07-31 04:00 EDT by Tomas Hoger
Modified: 2010-04-15 16:51 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-04-15 16:51:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Upstream patch to be included in 0.11.5 (7.53 KB, patch)
2008-07-31 04:01 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-07-31 04:00:23 EDT
Andreas Jellinghaus, upstream maintainer for OpenSC, notified us of the opensc
security issue discovered by Chaskiel M Grundman.

Quoting text of upcoming upstream advisory:

All versions of OpenSC prior to 0.11.5 initialized smart cards
with Siemens CardOS M4 card operating system without proper
access right: the ADMIN file control information in the 5015
directory on the smart card was left to 00 (all access allowed).

With this bug anyone can change a user PIN without having the PIN
or PUK or the superusers PIN or PUK. However it can not be used
to figure out the PIN. Thus if the PIN on your card is still the
same you always had, then you can be sure, that noone exploited
this vulnerability.

This vulnerability affects only smart cards and usb crypto tokens
based on Siemens CardOS M4, and within that group only those that
were initialized with OpenSC.

Users of other smart cards and usb crypto tokens are not affected.
Users of Siemens CardOS M4 based smart cards and crypto tokens are
not affected, if the card was initialized with some software other
than OpenSC.
Comment 1 Tomas Hoger 2008-07-31 04:01:36 EDT
Created attachment 313076 [details]
Upstream patch to be included in 0.11.5
Comment 3 Tomas Hoger 2008-09-02 04:48:18 EDT
Upstream advisory was updated on 2008-08-27 to fix an issue in the pkcs15-tool in the new functionality added in 0.11.5.  It did not properly identify all smart cards initialized by the vulnerable version of opensc.  This problem in pkcs15-tool was addressed upstream in version 0.11.6.

Comment 4 Tomas Mraz 2008-09-02 11:44:54 EDT
Fixed in rawhide with upgrade to 0.11.6.
Comment 5 Tomas Hoger 2008-09-11 02:30:08 EDT
Issue mentioned in comment #3 is now known also known as CVE-2008-3972:

pkcs15-tool in OpenSC before 0.11.6 does not apply security updates to
a smart card unless the card's label matches the "OpenSC" string,
which might allow physically proximate attackers to exploit
vulnerabilities that the card owner expected were patched, as
demonstrated by exploitation of CVE-2008-2235.
Comment 6 Fedora Update System 2009-03-03 07:27:57 EST
opensc-0.11.7-1.fc9 has been submitted as an update for Fedora 9.
Comment 7 Fedora Update System 2009-03-18 15:03:10 EDT
opensc-0.11.7-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.