CVE-2023-40660

A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.

CVSS v3 6.6 MEDIUM

6.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/12/13/2
https://access.redhat.com/errata/RHSA-2023:7876
https://access.redhat.com/errata/RHSA-2023:7879
https://access.redhat.com/security/cve/CVE-2023-40660	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2240912	Issue Tracking
https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651	Issue Tracking
https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1	Release Notes
https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/11/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/

Configurations

Configuration 1 (hide)

cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

History

23 Dec 2023, 05:15

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/ -

22 Dec 2023, 04:15

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/ -

19 Dec 2023, 16:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2023:7876 - () https://access.redhat.com/errata/RHSA-2023:7879 -

13 Dec 2023, 18:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2023/12/13/2 -

27 Nov 2023, 03:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2023/11/msg00024.html -

14 Nov 2023, 17:12

Type	Values Removed	Values Added
CPE		cpe:2.3:o:redhat:enterprise_linux:8.0:::::::* cpe:2.3:o:redhat:enterprise_linux:9.0:::::::* cpe:2.3:a:opensc_project:opensc::::::::
First Time		Redhat Opensc Project Opensc Project opensc Redhat enterprise Linux
CWE		CWE-287
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.6
References	~~(MISC) https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1 -~~	(MISC) https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1 - Release Notes
References	~~(MISC) https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories -~~	(MISC) https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories - Vendor Advisory
References	~~(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2240912 -~~	(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2240912 - Issue Tracking
References	~~(MISC) https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651 -~~	(MISC) https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651 - Issue Tracking
References	~~(MISC) https://access.redhat.com/security/cve/CVE-2023-40660 -~~	(MISC) https://access.redhat.com/security/cve/CVE-2023-40660 - Third Party Advisory

06 Nov 2023, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-06 17:15

Updated : 2023-12-23 05:15

NVD link : CVE-2023-40660

Mitre link : CVE-2023-40660

CVE.ORG link : CVE-2023-40660

JSON object : View

Products Affected

opensc_project

opensc

redhat

enterprise_linux

CWE

CWE-287

Improper Authentication

6.6 /10