SUSE update for opensc



Published: 2021-10-29
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2021-42780
CVE-2021-42782
CWE-ID CWE-252
CWE-121
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		SUSE Linux Enterprise Server
Operating systems & Components / Operating system

SUSE Linux Enterprise Point of Sale
Operating systems & Components / Operating system

SUSE Linux Enterprise Debuginfo
Operating systems & Components / Operating system

opensc-debuginfo-32bit
Operating systems & Components / Operating system package or component

opensc-debugsource
Operating systems & Components / Operating system package or component

opensc-debuginfo
Operating systems & Components / Operating system package or component

opensc-32bit
Operating systems & Components / Operating system package or component

libopensc2-32bit
Operating systems & Components / Operating system package or component

opensc
Operating systems & Components / Operating system package or component

libopensc2
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Unchecked Return Value

EUVDB-ID: #VU66136

Risk: Low

CVSSv3.1: 2.1 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42780

CWE-ID: CWE-252 - Unchecked Return Value

Exploit availability: No

Description

The vulnerability allows an attacker with physical access to perform denial of service attacks.

The vulnerability exists due to use after return issue in insert_pin() function in  Opensc. An attacker with physical access can trigger the vulnerability to perform denial of service attacks.

Mitigation

Update the affected package opensc to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server: 11-SP4-LTSS-EXTREME-CORE

SUSE Linux Enterprise Point of Sale: 11-SP3

SUSE Linux Enterprise Debuginfo: 11-SP3 - 11-SP4

opensc-debuginfo-32bit: before 0.11.6-5.27.14.1

opensc-debugsource: before 0.11.6-5.27.14.1

opensc-debuginfo: before 0.11.6-5.27.14.1

opensc-32bit: before 0.11.6-5.27.14.1

libopensc2-32bit: before 0.11.6-5.27.14.1

opensc: before 0.11.6-5.27.14.1

libopensc2: before 0.11.6-5.27.14.1

External links

http://www.suse.com/support/update/announcement/2021/suse-su-202114835-1/


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Stack-based buffer overflow

EUVDB-ID: #VU66137

Risk: Low

CVSSv3.1: 2.1 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42782

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows an attacker with physical access to perform a denial of service attack.

The vulnerability exists due to a boundary error in Opensc in various places. An attacker with physical access can trigger stack-based buffer overflow and perform a denial of service attack.

Mitigation

Update the affected package opensc to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server: 11-SP4-LTSS-EXTREME-CORE

SUSE Linux Enterprise Point of Sale: 11-SP3

SUSE Linux Enterprise Debuginfo: 11-SP3 - 11-SP4

opensc-debuginfo-32bit: before 0.11.6-5.27.14.1

opensc-debugsource: before 0.11.6-5.27.14.1

opensc-debuginfo: before 0.11.6-5.27.14.1

opensc-32bit: before 0.11.6-5.27.14.1

libopensc2-32bit: before 0.11.6-5.27.14.1

opensc: before 0.11.6-5.27.14.1

libopensc2: before 0.11.6-5.27.14.1

External links

http://www.suse.com/support/update/announcement/2021/suse-su-202114835-1/


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###