CVE-2024-45616.md

CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc

The reported issues are part of the libopensc library, which makes them accessible from OpenSC tools, PKCS#11 module, minidriver, or CTK. The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so they are considered high complexity and low severity.

The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card. The uninitialized variables were reflected in these functions:

• cardos_match_card
  • uninitialized APDU response buffer, unchecked response length (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cardos.c#L136)
  • uninitialized value used later by cardos_match_card
  • found via fuzz_card, fuzz_pkcs11, fuzz_pkcs15_crypt, fuzz_pkcs15_decode
  • fixed with
    • 1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1
    • 265b28344d036a462f38002d957a0636fda57614
• _itoa_word, called from sc_hex_dump
  • the problem arose from cac_cac1_get_certificate function with wrong calculation of certificate length based on the APDU rseponse length (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac1.c#L95-L100)
  • found via fuzz_card, fuzz_pkcs15_crypt, fuzz_pkcs15_decode
  • fixed with e7177c7ca00200afea820d155dca67f38b232967
• sc_bin_to_hex
  • the problem arose from auth_select_aid function unchecked SW1 and SW2 after querying for serial number (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-oberthur.c#L163)
  • found via fuzz_pkcs11, fuzz_pkcs15_encode
  • fixed with ef7b10a18e6a4d4f03f0c47ea81aa8136f3eca60
• strcmp, called from sc_asn1_read_tag
  • the problem arose from gids_get_DO function with incorrect setting of buffer length, when buffer filled with APDU response (https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-gids.c#L249-L253)
  • found via fuzz_pkcs15_decode
  • fixed with 16ada9dc7cddf1cb99516aea67b6752c251c94a2
• asn1_decode
  • do_select not checking APDU response length before accessing APDu response buffer (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-mcrd.c#L590)
  • found via fuzz_pkcs11, fuzz_pkcs15_decode
  • fixed with 3562969c90a71b0bcce979f0e6d627546073a7fc
• process_fcp
  • do_select not checking APDU response length before accessing APDu response buffer (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-mcrd.c#L590)
  • fuzz_pkcs15_crypt
  • fixed with 3562969c90a71b0bcce979f0e6d627546073a7fc
• dnie_process_fci
  • dnie_compose_and_send_apdu lacks checking for APDU response length before accessing response (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-dnie.c#L1180)
  • found via fuzz_pkcs11, fuzz_pkcs15_crypt, fuzz_pkcs15_decode
  • fixed with cccdfc46b10184d1eea62d07fe2b06240b7fafbc
• iso7816_process_fci
  • dnie_compose_and_send_apdu lacks checking for APDU response length before accessing response (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-dnie.c#L1180)
  • found via fuzz_pkcs15_encode
  • fixed with cccdfc46b10184d1eea62d07fe2b06240b7fafbc
• sc_pkcs15init_parse_info, msc_extract_rsa_public_key
  • incorrect return of APDU response data length in msc_partial_read_object (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/muscle.c#L96)
  • uninitialized part of buffer after actual length accessed by sc_pkcs15init_parse_info
  • found via fuzz_pkcs11, fuzz_pkcs15init
  • fixed with 5fa758767e517779fc5398b6b4faedc4e36d3de5
• sc_bin_to_hex
  • unchecked APDU response length when querying for serial number in auth_select_aid (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-oberthur.c#L163)
  • found via fuzz_pkcs15_crypt, fuzz_pkcs15init, fuzz_pkcs15_decode
  • fixed with ef7b10a18e6a4d4f03f0c47ea81aa8136f3eca60
• gids_read_masterfile
  • the problem arose from gids_get_DO function with incorrect setting of buffer length, when buffer filled with APDU response (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-gids.c#L249-L253)
  • fixed with
    • 76115e34799906a64202df952a8a9915d30bc89d
    • 16ada9dc7cddf1cb99516aea67b6752c251c94a2
• sc_bin_to_hex
  • unchecked value of APDU response length in function entersafe_get_serialnr (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-entersafe.c#L1424)
  • found via fuzz_pkcs15_reader
  • fixed with aa102cd9abe1b0eaf537d9dd926844a46060d8bc

Affected versions: all before 0.26.0

Originally reported by Matteo Marini (Sapienza University of Rome)

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L (3.9)