Use-after-free in OpenSC - CVE-2024-1454

 

Use-after-free in OpenSC - CVE-2024-1454

Published: March 1, 2024


Vulnerability identifier: #VU86939
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-1454
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: OpenSC
Affected software:
OpenSC

Detailed vulnerability description

The vulnerability allows an attacker to bypass authentication.

The vulnerability exists due to a use-after-free error in the AuthentIC driver in the card enrolment process using pkcs15-init when a user or administrator enrols or modifies cards. An attacker with physical access to the system can use a crafted USB device or smart card to present the system with specially crafted responses to the APDUs to card management operations during enrollment.


How to mitigate CVE-2024-1454

Install updates from vendor's website.

Sources