Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 233543 (CVE-2008-2235) - dev-libs/opensc <0.11.6 CardOS initialization with improper access rights (CVE-2008-2235,CVE-2008-3972)
Summary: dev-libs/opensc <0.11.6 CardOS initialization with improper access rights (CV...
Status: RESOLVED FIXED
Alias: CVE-2008-2235
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://thread.gmane.org/gmane.comp.se...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 233519
Blocks: 226713
  Show dependency tree
 
Reported: 2008-07-31 23:46 UTC by Robert Buchholz (RETIRED)
Modified: 2008-12-10 16:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-07-31 23:46:57 UTC
OpenSC Security Advisory [31-Jul-2008]

OpenSC initializes CardOS cards with improper access rights
-----------------------------------------------------------

Chaskiel M Grundman found a security vulnerability in OpenSC.
The vulnerability has been fixed in OpenSC 0.11.5.
In Mitre's CVE dictionary this issue is filed under CVE-2008-2235.
Users will need to run "pkcs15-tool -T -U" to test (-T) and 
update (-U) the security settings on their card.

All versions of OpenSC prior to 0.11.5 initialized smart cards
with Siemens CardOS M4 card operating system without proper
access right: the ADMIN file control information in the 5015
directory on the smart card was left to 00 (all access allowed).

With this bug anyone can change a user PIN without having the PIN
or PUK or the superusers PIN or PUK. However it can not be used
to figure out the PIN. Thus if the PIN on your card is still the
same you always had, then you can be sure, that noone exploited
this vulnerability.

This vulnerability affects only smart cards and usb crypto tokens
based on Siemens CardOS M4, and within that group only those that
were initialized with OpenSC.

Users of other smart cards and usb crypto tokens are not affected.
Users of Siemens CardOS M4 based smart cards and crypto tokens are
not affected, if the card was initialized with some software other
than OpenSC.

The new version of OpenSC implements a simple way to verify if a
card is affected or not:
        pkcs15-tool has now two new options:
  --test-update, -T             Test if the card needs a security update
  --update, -U                  Update the card with a security update

Running
        pkcs15-tool -T
will either show
        fci is up-to-date, card is fine
or 
        fci is out-off-date, card is vulnerable

If the card is vulnerable, please update the security setting using:
        pkcs15-tool -T -U
this will show:
        fci is out-off-date, card is vulnerable
        security update applied with success.


Our Mac OS X Installer Package "SCA" is also affected by this vulnerability:
Version 0.2.2 and earleir are vulnerable. A new version 0.2.3 including this
fix will soon be available at
                http://www.opensc-project.org/

Our Windows Installer Package "SCB" is also affected by this vulnerability:
All versions are affected. We don't have any windows developer left, so right
now noone can update this package. But new windows binaries build using mingw
will be soon available at
                http://www.opensc-project.org/files/build/

--cut--

attached is a patch distributions can apply instead of updating to the new 
version. still users will need to run "pkcs15-tool -T -U" for all their smart 
cards and usb crypto tokens (only those based on "Siemens CardOS M4" and 
initialized with OpenSC), please let them know.

Regards, Andreas
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-08-27 10:14:42 UTC
Security update for OpenSC
==========================

OpenSC Security Advisory [27-Aug-2008]
--------------------------------------

OpenSC initializes CardOS cards with improper access rights

This is an update to our security advisory 31-Jul-2008. 

Chaskiel M Grundman found a security vulnerability in OpenSC. The 
vulnerability has been fixed in OpenSC 0.11.6. In Mitre's CVE dictionary this 
issue is filed under CVE-2008-2235. Users will need to 
run "pkcs15-tool -T -U" to test (-T) and update (-U) the security settings on 
their card. 
 
All versions of OpenSC prior to 0.11.5 initialized smart cards with Siemens 
CardOS M4 card operating system without proper access right: the ADMIN file 
control information in the 5015 directory on the smart card was left to 00 
(all access allowed). 

OpenSC 0.11.5 released July 30th 2008 was found to contain only a partial fix. 
The new tool for testing and updating smart cards ("pkcs15-tool -T") 
contained a too strict check - including the Card label to match "OpenSC". 
Jean-Pierre Szikora found this problem: a card can be initialized with 
setting any label (use "pkcs15-init --create-pkcs15 --label foobar" for 
example), thus this check was too strict and had to be removed. 

With this bug anyone can change a user PIN without having the PIN or PUK or 
the superusers PIN or PUK. However it can not be used to figure out the PIN. 
Thus if the PIN on your card is still the same you always had, then you can 
be sure, that noone exploited this vulnerability. 

This vulnerability affects only smart cards and usb crypto tokens based on 
Siemens CardOS M4, and within that group only those that were initialized 
with OpenSC. 

Users of other smart cards and usb crypto tokens are not affected. Users of 
Siemens CardOS M4 based smart cards and crypto tokens are not affected, if 
the card was initialized with some software other than OpenSC. 

The new version of OpenSC implements a simple way to verify if a card is 
affected or not: 
        pkcs15-tool
has now two new options: 
        --test-update, -T             Test if the card needs a security update
        --update, -U                  Update the card with a security update

Running 
        pkcs15-tool -T
 will either show 
        fci is up-to-date, card is fine
 or 
        fci is out-of-date, card is vulnerable

If the card is vulnerable, please update the security setting using: 
        pkcs15-tool -T -U
this will show: 
        fci is out-of-date, card is vulnerable
        security update applied with success.

Our Mac OS X Installer Package "SCA" is also affected by this vulnerability: 
Version 0.2.2 and earlier are vulnerable and version 0.2.3 included the 
partial fix with OpenSC 0.11.5 only. A new version 0.2.4 including OpenSC 
0.11.6 will be soon available. 

Our old Windows Installer Package "SCB" is also affected by this 
vulnerability: All versions are affected. We don't have any windows developer 
left, so right now noone can update this package. But new windows binaries 
build using mingw are now available in the "Build" project. Version 001 
includes OpenSC 0.11.5 with the partial fix, a new version 002 with OpenSC 
0.11.6 will be soon available.
Comment 2 Daniel Black (RETIRED) gentoo-dev 2008-08-30 05:22:07 UTC
opensc-0.11.6.ebuild added
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-30 12:12:41 UTC
Arches, please test and mark stable:
=dev-libs/opensc-0.11.6
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Markus Meier gentoo-dev 2008-08-30 15:18:16 UTC
amd64/x86 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2008-08-31 13:03:51 UTC
ppc and ppc64 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-08-31 15:24:15 UTC
alpha/ia64/sparc stable
Comment 7 Guy Martin (RETIRED) gentoo-dev 2008-10-31 20:33:41 UTC
hppa stable. I was able to auth myself via ssh using my ID card. woot !
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-05 08:49:34 UTC
Ready for vote, I vote YES.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 18:58:15 UTC
YES then, filed
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-12-10 16:55:06 UTC
GLSA 200812-09