CVE Vulnerabilities

CVE-2023-40660

Improper Authentication

Published: Nov 06, 2023 | Modified: Dec 04, 2024
CVSS 3.x
6.6
MEDIUM
Source:
NVD
CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
6.6 MODERATE
CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the users awareness.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Opensc Opensc_project * 0.23.0 (including)
Red Hat Enterprise Linux 8 RedHat opensc-0:0.20.0-7.el8_9 *
Red Hat Enterprise Linux 9 RedHat opensc-0:0.23.0-3.el9_3 *
Opensc Ubuntu bionic *
Opensc Ubuntu esm-apps/focal *
Opensc Ubuntu esm-apps/jammy *
Opensc Ubuntu focal *
Opensc Ubuntu jammy *
Opensc Ubuntu lunar *
Opensc Ubuntu mantic *
Opensc Ubuntu trusty *
Opensc Ubuntu upstream *
Opensc Ubuntu xenial *

Potential Mitigations

References