Main Vulnerability Database Vulnerabilities #VU86939

#VU86939 Use-after-free in OpenSC - CVE-2024-1454

Published: March 1, 2024

Vulnerability identifier: #VU86939

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-1454

CWE-ID: CWE-416

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
OpenSC

Software vendor:
OpenSC

Description

The vulnerability allows an attacker to bypass authentication.

The vulnerability exists due to a use-after-free error in the AuthentIC driver in the card enrolment process using pkcs15-init when a user or administrator enrols or modifies cards. An attacker with physical access to the system can use a crafted USB device or smart card to present the system with specially crafted responses to the APDUs to card management operations during enrollment.

Remediation

Install updates from vendor's website.

External links

https://access.redhat.com/security/cve/CVE-2024-1454
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64898
https://bugzilla.redhat.com/show_bug.cgi?id=2263929
https://github.com/OpenSC/OpenSC/commit/5835f0d4f6c033bd58806d33fa546908d39825c9

#VU86939 Use-after-free in OpenSC - CVE-2024-1454

Description

Remediation

External links

Please verify you're human