CVE 2023 40661

CVE-2023-40661: Dynamic analyzers reports in pkcs15-init

This advisory summarizes automatically reported issues that are security relevant that were reported since the release of OpenSC 0.23.0 and that are relevant to the handling the card enrollment process using pkcs15-init.

All of these require physical access to the computer at the time user or administrator would be enrolling the cards (generating keys and loading certificates, other card/token management) operations. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity. This issue is not exploitable just by using a PKCS#11 module as done in most of the end-user deployments.

Security-related oss-fuzz issues

• Stack buffer overflow in sc_pkcs15_get_lastupdate in pkcs15init
  • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769
  • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60527
  • fixed with 245efe608d083fd4e4ec96793fdefd218e26fde7
• Heap buffer overflow in setcos_create_key in pkcs15init
  • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672
  • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64181
  • fixed with
    • 440ca666eff10cc7011901252d20f3fc4ea23651
    • 4013a807492568bf9907cfb3df41f130ac83c7b9
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650 Heap buffer overflow in cosm_new_file in pkcs15init
  • fixed with 41d61da8481582e12710b5858f8b635e0a71ab5e
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60616 Heap double free in sc_pkcs15_free_object_content
  • fixed with 638a5007a5d240d6fa901aa822cfeef94fe36e85
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932 Stack buffer overflow in cflex_delete_file in pkcs15init
  • fixed with c449a181a6988cc1e8dc8764d23574e48cdc3fa6
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56213 Heap buffer overflow in sc_hsm_write_ef in pkcs15init
  • not in any released version, fixed with dd138d0600a1acd7991989127f36827e5836b24e
• Stack buffer overflow while parsing pkcs15 profile files
  • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998
  • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851
  • fixed with 5631e9843c832a99769def85b7b9b68b4e3e3959
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312 Stack buffer overflow in muscle driver in pkcs15init
  • fixed with df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927 Stack buffer overflow in cardos driver in pkcs15init
  • fixed with 578aed8391ef117ca64a9e0cba8e5c264368a0ec
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64215 Heap buffer overflow in epass2003 driver in pkcs15init
  • fixed with 609164045facaeae193feb48d9c2fc5cc4321e8a
• Heap buffer overflow in iasecc driver in pkcs15init
  • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63949
  • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63587
  • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63163
  • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61797
  • fixed with
    • 8fc2c20c3f895569eeb58328bb882aec07325d3b
    • fbda61d0d276dc98b9d1d1e6810bbd21d19e3859
    • 83b9129bd3cfc6ac57d5554e015c3df85f5076dc
    • 2a4921ab23fd0853f327517636c50de947548161
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63104 Stack buffer overflow in entersafe driver in pkcs15init
  • fixed with 50f0985f6343eeac4044661d56807ee9286db42c
• Heap buffer overflow in oberthur driver in pkcs15init
  • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650
  • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62613
  • fixed with 41d61da8481582e12710b5858f8b635e0a71ab5e
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61750 Stack buffer overflow in idprime driver in pkcs15init
  • fixed with fa8ad362852dbefad5b6796c32f2a33859b8a8e0
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60971 Heap buffer overflow in test_verify
  • fixed with ffbff25ec6c6d0ad3f8df76f57210698f7947fc3

Originally reported by OSS-fuzz automated service

CVSS:3.0AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N (3.4)