Skip to content

Latest commit

 

History

History
68 lines (62 loc) · 4.31 KB

CVE-2023-40661.md

File metadata and controls

68 lines (62 loc) · 4.31 KB

CVE-2023-40661: Dynamic analyzers reports in pkcs15-init

This advisory summarizes automatically reported issues that are security relevant that were reported since the release of OpenSC 0.23.0 and that are relevant to the handling the card enrollment process using pkcs15-init.

All of these require physical access to the computer at the time user or administrator would be enrolling the cards (generating keys and loading certificates, other card/token management) operations. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity. This issue is not exploitable just by using a PKCS#11 module as done in most of the end-user deployments.

Security-related oss-fuzz issues

Originally reported by OSS-Fuzz automated service.

CVSS:3.0AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N (3.4)