5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.024 Low
EPSS
Percentile
90.0%
Severity: Medium
Date : 2017-01-04
CVE-ID : CVE-2016-10109
Package : pcsclite
Type : privilege escalation
Remote : No
Link : https://security.archlinux.org/AVG-126
The package pcsclite before version 1.8.20-1 is vulnerable to privilege
escalation.
Upgrade to 1.8.20-1.
The problem has been fixed upstream in version 1.8.20.
None.
The SCardReleaseContext function normally releases resources associated
with the given handle (including “cardsList”) and clients should cease
using this handle. A malicious client can however make the daemon
invoke SCardReleaseContext and continue issuing other commands that use
“cardsList”, resulting in a use-after-free. When SCardReleaseContext is
invoked multiple times, it additionally results in a double-free of
“cardsList”.
The issue allows a local attacker to cause a denial of service, but can
potentially result in privilege escalation since the daemon is running
as root while any local user can connect to the Unix socket. Fixed by
patch “SCardReleaseContext: prevent use-after-free of cardsList” which
is released with hpcsc-lite 1.8.20 on 30 December 2016.
A local attacker is able to cause a denial of service or escalate
privileges by sending specially crafted commands to pcscd.
https://anonscm.debian.org/cgit/pcsclite/PCSC.git/commit/?id=697fe05967af7ea215bcd5d5774be587780c9e22
http://lists.alioth.debian.org/pipermail/pcsclite-muscle/Week-of-Mon-20161226/000779.html
http://marc.info/?l=oss-security&m=148345047107588
https://security.archlinux.org/CVE-2016-10109
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.024 Low
EPSS
Percentile
90.0%