opensc 0.11.6 with fixed security update

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

opensc 0.11.6 with fixed security update

Andreas Jellinghaus-2
OpenSC today released OpenSC version 0.11.6 with:
 * security update fixed (see below)
 * new driver for feitian ePass3000 usb crypto tokens ("entersafe")
 * small improvement to gemsafe v1 emulation

Regards, Andreas

Security update for OpenSC

OpenSC Security Advisory [27-Aug-2008]

OpenSC initializes CardOS cards with improper access rights

This is an update to our security advisory 31-Jul-2008.

Chaskiel M Grundman found a security vulnerability in OpenSC. The
vulnerability has been fixed in OpenSC 0.11.6. In Mitre's CVE dictionary this
issue is filed under CVE-2008-2235. Users will need to
run "pkcs15-tool -T -U" to test (-T) and update (-U) the security settings on
their card.
All versions of OpenSC prior to 0.11.5 initialized smart cards with Siemens
CardOS M4 card operating system without proper access right: the ADMIN file
control information in the 5015 directory on the smart card was left to 00
(all access allowed).

OpenSC 0.11.5 released July 30th 2008 was found to contain only a partial fix.
The new tool for testing and updating smart cards ("pkcs15-tool -T")
contained a too strict check - including the Card label to match "OpenSC".
Jean-Pierre Szikora found this problem: a card can be initialized with
setting any label (use "pkcs15-init --create-pkcs15 --label foobar" for
example), thus this check was too strict and had to be removed.

With this bug anyone can change a user PIN without having the PIN or PUK or
the superusers PIN or PUK. However it can not be used to figure out the PIN.
Thus if the PIN on your card is still the same you always had, then you can
be sure, that noone exploited this vulnerability.

This vulnerability affects only smart cards and usb crypto tokens based on
Siemens CardOS M4, and within that group only those that were initialized
with OpenSC.

Users of other smart cards and usb crypto tokens are not affected. Users of
Siemens CardOS M4 based smart cards and crypto tokens are not affected, if
the card was initialized with some software other than OpenSC.

The new version of OpenSC implements a simple way to verify if a card is
affected or not:
has now two new options:
        --test-update, -T             Test if the card needs a security update
        --update, -U                  Update the card with a security update

        pkcs15-tool -T
 will either show
        fci is up-to-date, card is fine
        fci is out-of-date, card is vulnerable

If the card is vulnerable, please update the security setting using:
        pkcs15-tool -T -U
this will show:
        fci is out-of-date, card is vulnerable
        security update applied with success.

Our Mac OS X Installer Package "SCA" is also affected by this vulnerability:
Version 0.2.2 and earlier are vulnerable and version 0.2.3 included the
partial fix with OpenSC 0.11.5 only. A new version 0.2.4 including OpenSC
0.11.6 will be soon available.

Our old Windows Installer Package "SCB" is also affected by this
vulnerability: All versions are affected. We don't have any windows developer
left, so right now noone can update this package. But new windows binaries
build using mingw are now available in the "Build" project. Version 001
includes OpenSC 0.11.5 with the partial fix, a new version 002 with OpenSC
0.11.6 will be soon available.
opensc-announce mailing list
[hidden email]