Published: 06/11/2023 Updated: 23/12/2023

CVSS v3 Base Score: 6.6 | Impact Score: 5.9 | Exploitability Score: 0.7

VMScore: 0

A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an malicious user to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.

Vulnerable Product	Search on Vulmon	Subscribe to Product
opensc project opensc
redhat enterprise linux 8.0
redhat enterprise linux 9.0

Synopsis Moderate: opensc security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for opensc is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a secu ...

Synopsis Moderate: opensc security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for opensc is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated this update as having a secu ...

Debian Bug report logs - #1055522 opensc: CVE-2023-40661 Package: src:opensc; Maintainer for src:opensc is Debian OpenSC Maintainers <pkg-opensc-maint@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 7 Nov 2023 20:09:02 UTC Severity: important Tags: security, upstream Found ...

Debian Bug report logs - #1055521 opensc: CVE-2023-40660 Package: src:opensc; Maintainer for src:opensc is Debian OpenSC Maintainers <pkg-opensc-maint@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 7 Nov 2023 20:00:02 UTC Severity: important Tags: security, upstream Found ...

Debian Bug report logs - #1055520 opensc: CVE-2023-4535 Package: src:opensc; Maintainer for src:opensc is Debian OpenSC Maintainers <pkg-opensc-maint@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 7 Nov 2023 19:57:02 UTC Severity: important Tags: security, upstream Found ...

Potential PIN bypassWhen the token/card was plugged into the computer and authenticated from one process, it could be used to provide cryptographic operations from different process when the empty, zero-length PIN and the token can track the login status using some of its internals This is dangerous for OS logon/screen unlock and small tokens tha ...

Description This CVE is under investigation by Red Hat Product Security ...

CWE-287 https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1 https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories https://bugzilla.redhat.com/show_bug.cgi?id=2240912 https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651 https://access.redhat.com/security/cve/CVE-2023-40660 https://lists.debian.org/debian-lts-announce/2023/11/msg00024.html http://www.openwall.com/lists/oss-security/2023/12/13/2 https://access.redhat.com/errata/RHSA-2023:7876 https://access.redhat.com/errata/RHSA-2023:7879 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/https://access.redhat.com/errata/RHSA-2023:7876 https://nvd.nist.gov https://alas.aws.amazon.com/AL2/ALAS-2023-2323.html

CVE-2023-40660

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect