Vulnerability identifier: #VU82975
Vulnerability risk: Low
CVSSv3.1: 2.1 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-125
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
OpenSC
Universal components / Libraries /
Libraries used by multiple products
Vendor: OpenSC
Description
The vulnerability allows an attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the MyEID driver when handling symmetric key encryption. An attacker with physical access to the system can use a specially crafted USB device to trigger an out-of-bounds read error and gain access to potentially sensitive information.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
OpenSC: 0.2.0 - 0.23.0 rc2
External links
http://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1
http://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories
http://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651
http://bugzilla.redhat.com/show_bug.cgi?id=2240914
http://access.redhat.com/security/cve/CVE-2023-4535
http://github.com/OpenSC/OpenSC/commit/f1993dc4e0b33050b8f72a3558ee88b24c4063b2
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.