ID CVE-2009-0368
Summary OpenSC before 0.11.7 allows physically proximate attackers to bypass intended PIN requirements and read private data objects via a (1) low level APDU command or (2) debugging tool, as demonstrated by reading the 4601 or 4701 file with the opensc-explorer or opensc-tool program.
References
Vulnerable Configurations
  • cpe:2.3:a:opensc-project:opensc:0.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.8:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.8.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.9:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.9.6:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.9.6:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.9.7:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.9.7:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.9.7:b:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.9.7:b:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.9.7:d:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.9.7:d:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.9.8:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.9.8:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.11.0:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.11.2:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.11.2:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.11.3:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.11.3:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.11.3:pre3:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.11.3:pre3:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.11.4:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.11.4:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:0.11.5:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:0.11.5:*:*:*:*:*:*:*
  • cpe:2.3:a:opensc-project:opensc:*:*:*:*:*:*:*:*
    cpe:2.3:a:opensc-project:opensc:*:*:*:*:*:*:*:*
CVSS
Base: 2.1 (as of 08-08-2017 - 01:33)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:L/AC:L/Au:N/C:P/I:N/A:N
refmap via4
bid 33922
debian DSA-1734
fedora
  • FEDORA-2009-2266
  • FEDORA-2009-2267
gentoo GLSA-200908-01
mlist
  • [opensc-announce] 20090226 OpenSC Security Advisory
  • [oss-security] 20090226 OpenSC Security Advisory
secunia
  • 34052
  • 34120
  • 34362
  • 34377
  • 35065
  • 36074
suse SUSE-SR:2009:010
xf opensc-pkcs-unauth-access(48958)
Last major update 08-08-2017 - 01:33
Published 02-03-2009 - 22:30
Last modified 08-08-2017 - 01:33
Back to Top