OpenSC Security Vulnerability and new Versions of OpenSC, OpenCT, LibP11, Pam_P11, Engine_PKCS11

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OpenSC Security Vulnerability and new Versions of OpenSC, OpenCT, LibP11, Pam_P11, Engine_PKCS11

Andreas Jellinghaus-2
Here is our security announcement and information about our new versions.

OpenSC Security Advisory [31-Jul-2008]

OpenSC initializes CardOS cards with improper access rights
-------------------------------------------------------------------------------------------

Chaskiel M Grundman found a security vulnerability in OpenSC.
The vulnerability has been fixed in OpenSC 0.11.5.
In Mitre's CVE dictionary this issue is filed under CVE-2008-2235.
Users will need to run "pkcs15-tool -T -U" to test (-T) and
update (-U) the security settings on their card.

All versions of OpenSC prior to 0.11.5 initialized smart cards
with Siemens CardOS M4 card operating system without proper
access right: the ADMIN file control information in the 5015
directory on the smart card was left to 00 (all access allowed).

With this bug anyone can change a user PIN without having the PIN
or PUK or the superusers PIN or PUK. However it can not be used
to figure out the PIN. Thus if the PIN on your card is still the
same you always had, then you can be sure, that noone exploited
this vulnerability.

This vulnerability affects only smart cards and usb crypto tokens
based on Siemens CardOS M4, and within that group only those that
were initialized with OpenSC.

Users of other smart cards and usb crypto tokens are not affected.
Users of Siemens CardOS M4 based smart cards and crypto tokens are
not affected, if the card was initialized with some software other
than OpenSC.

The new version of OpenSC implements a simple way to verify if a
card is affected or not:
        pkcs15-tool has now two new options:
  --test-update, -T             Test if the card needs a security update
  --update, -U                  Update the card with a security update

Running
        pkcs15-tool -T
will either show
        fci is up-to-date, card is fine
or
        fci is out-off-date, card is vulnerable

If the card is vulnerable, please update the security setting using:
        pkcs15-tool -T -U
this will show:
        fci is out-off-date, card is vulnerable
        security update applied with success.


Our Mac OS X Installer Package "SCA" is also affected by this vulnerability:
Version 0.2.2 and earleir are vulnerable. A new version 0.2.3 including this
fix will soon be available at
                http://www.opensc-project.org/

Our Windows Installer Package "SCB" is also affected by this vulnerability:
All versions are affected. We don't have any windows developer left, so right
now noone can update this package. But new windows binaries build using mingw
will be soon available at
                http://www.opensc-project.org/files/build/


New Versions
========


Today we release new versions of many projects:

OpenCT 0.6.15
http://www.opensc-project.org/files/openct/openct-0.6.15.tar.gz

OpenSC 0.11.5
http://www.opensc-project.org/files/opensc/opensc-0.11.5.tar.gz

Libp11 0.2.4
http://www.opensc-project.org/files/libp11/libp11-0.2.4.tar.gz

Pam_P11 0.1.4
http://www.opensc-project.org/files/pam_p11/pam_p11-0.1.4.tar.gz

Engine_PKCS11 0.1.5
http://www.opensc-project.org/files/engine_pkcs11/engine_pkcs11-0.1.5.tar.gz

Important: older versions of OpenSC had a security vulnerability.
Please update to the new version. If you used OpenSC to initialize
plain smart cards or usb crypto tokens using Siemens Cardos M4,
then you will need to update your card to fix the wrong configuration.
        pkcs15-tool -T -U
Will do this for you.

Changes in OpenCT 0.6.15 released 2008-07-31
* Build system rewritten (NOTICE: configure options was modified).
* Build system rewritten (NOTICE: configure options was modified).
* None privileged configuration added, as a result /etc/openct.conf ifdhandler
  was modified, please review sample at etc/openct.conf before upgrade.
* The usb device add (/dev/bus/usb/$env{BUSNUM}/$env{DEVNUM}) udev rule is now
  available in separate file, as it should be available at most distributions,
  and may conflict. Install this only if you are using old udev that miss this
  statement.
* Basic coldplug support on Linux is available without libusb dependency.
* CCID-1.10 is now supported.

Changes in OpenSC 0.11.5 released 2008-07-31
* Apply security fix for cardos driver and extend pkcs15-tool to
  test cards for the security vulnerability and update them.
* Build system rewritten (NOTICE: configure options was modified).
  The build system can produce outputs for *NIX, cygwin and native
  windows (using mingw).
* ruToken now supported.
* Allow specifying application name for data objects.
* Basic reader hotplug support.
* PC/SC library is dynamic linked no longer compile time dependency.
* PKCS#11 provider is now installed at LIBDIR/pkcs11
* PKCS#11 - Number of virtual slots moved into configuration.
* PKCS#11 - Fix fork() compliance.
* make sign_with_decrypt hack configureable for siemens cards.

Changes in Lib_P11 0.2.4 released 2008-07-31
* Build system rewritten (NOTICE: configure options was modified).
  The build system can produce outputs for *NIX, cygwin and native
  windows (using mingw).
* added PKCS11_CTX_init_args (David Smith).
* fix segfault in init_args code.
* implemented PKCS11_private_encrypt (with PKCS11_sign now based on it)
  (Arnaud Ebalard)

Changes in Pam_P11 0.1.4 released 2008-07-31
* new version with a number of build fixes

Changes in Engine PKCS#11 0.1.5 released 2008-07-31
* Build system rewritten (NOTICE: configure options was modified).
  The build system can produce outputs for *NIX, cygwin and native
  windows (using mingw).
* cleanup pin code, always use MAX_PIN_LENGTH, proper cleanup.
* new use PKCS11_CTX_init_args (David Smith)
* fix segfault in init_args code.
* needs new version of libp11 (0.2.4 or later).

_______________________________________________
opensc-announce mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-announce