Quick review of OpenSC vulnerabilities – Sep 2018

Basic Understanding:

What is smart card? A smart card is a security token that has an embedded chip. Smart cards are typically the same size as a driver’s license and can be made out of metal or plastic

Basicaly you can get smart card in two states: either blank or initialized. For blank cards OpenSC has code to initialize the card in PKCS#15 format.

PKCS#11 – The PKCS#11 interface is used to communicate or access the cryptographic devices such as HSM (Hardware Security Modules) and smart cards. The primary purpose of HSM devices is to generate cryptographic keys and sign/encrypt information without revealing the private key to the others.

PKCS#15 – PKCS 15 (Public Key Cryptography Standard 15) defines the standard for the storage of keys on smart cards. OpenSC implements PKCS#15 and thus stores everything in the directory 5015, creates certain files in defined formats, subdirectories and so on. Not all software implement PKCS#15. Many cards in EU and elsewhere have ID cards for their citizens with keys for digital signatures and authentication, and often those cards and not in PKCS#15 format.

OpenSC implements the standard APIs to smart cards

OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the PKCS #15 standard and the PKCS #11 API. It is possible to use the Smartcard via OpenSC with the Microsoft CNG library. CNG can be used together with CryptoAPI.

Vulnerability Details

CVE-2018-16418

A buffer overflow when handling string concatenation in util_acl_to_str in tools/util.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

CVE-2018-16427

Various out of bounds reads when handling responses in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to potentially crash the opensc library using programs.

Reference: Fixed out of bounds writes

https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad

OpenSC before 0.19.0-rc1 vulnerabilities summary:

Highlight concerns

Buffer overflow – Attacker would use a buffer-overflow exploit to take advantage of a program that is waiting on a user’s input. There are two types of buffer overflows: stack-based and heap-based. Heap-based, which are difficult to execute and the least common of the two, attack an application by flooding the memory space reserved for a program. Stack-based buffer overflows, which are more common among attackers, exploit applications and programs by using what is known as a stack: memory space used to store user input.

Double free errors – Double free errors occur when free() is called more than once with the same … Calling free() twice on the same value can lead to memory leak.

Endless recursion vulnerability – This weakness describes a logic error within the application, which results in an endless loop.

OpenSC-019.0 released 14th Sep 2018

Fixed multiple security problems (out of bound writes/reads, #1447):

CVE-2018-16391, CVE-2018-16392, CVE-2018-16393, CVE-2018-16418, CVE-2018-16419, CVE-2018-16420, CVE-2018-16421, CVE-2018-16422, CVE-2018-16423, CVE-2018-16424, CVE-2018-16425, CVE-2018-16426, CVE-2018-16427

URL shown as below:

https://github.com/OpenSC/OpenSC/releases

Demonstrate buffer overflow

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.