CVE-2024-1454

2024-02-1223:15:08

Debian Security Bug Tracker

security-tracker.debian.org

cve-2024-1454

vulnerability

opensc

authentic driver

card enrolment

pkcs15-init

physical access

crafted usb device

smart card

apdus

compromised operations

3.4 Low

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.4%

JSON

The use-after-free vulnerability was found in the AuthentIC driver in OpenSC packages, occuring in the card enrolment process using pkcs15-init when a user or administrator enrols or modifies cards. An attacker must have physical access to the computer system and requires a crafted USB device or smart card to present the system with specially crafted responses to the APDUs, which are considered high complexity and low severity. This manipulation can allow for compromised card management operations during enrolment.

OSVersionArchitecturePackageVersionFilename
Debian12allopensc<= 0.23.0-0.3+deb12u1opensc_0.23.0-0.3+deb12u1_all.deb
Debian11allopensc<= 0.21.0-1opensc_0.21.0-1_all.deb
Debian999allopensc< 0.25.0~rc1-1opensc_0.25.0~rc1-1_all.deb
Debian13allopensc< 0.25.0~rc1-1opensc_0.25.0~rc1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	opensc	<= 0.23.0-0.3+deb12u1	opensc_0.23.0-0.3+deb12u1_all.deb
Debian	11	all	opensc	<= 0.21.0-1	opensc_0.21.0-1_all.deb
Debian	999	all	opensc	< 0.25.0~rc1-1	opensc_0.25.0~rc1-1_all.deb
Debian	13	all	opensc	< 0.25.0~rc1-1	opensc_0.25.0~rc1-1_all.deb