National Cyber-Alert System
Vulnerability Summary for CVE-2008-2235
Original release date:08/01/2008
Last revised:03/25/2009
Source:
US-CERT/NIST
Overview
OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN.
Impact
CVSS Severity (version 2.0):
Impact Subscore:
6.9
Exploitability Subscore:
3.9
CVSS Version 2 Metrics:
Access Vector: Locally exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type:Allows unauthorized modification
- Official Statement from Siemens (08/14/2008)
-
Siemens has analyzed this report and states that no security breach can be found in the Siemens CardOS M4 itself and it thus does not relate to any Siemens component. The reported vulnerability (caused by inappropriate personalization) is due to an issue in the OPENSC middleware detailed information can be found under http://www.opensc-project.org/security.html.
Therefore, Siemens recommends all customers and partners using OPENSC to use either the current version 0.11.5 of OPENSC in which this vulnerability is fixed or to use the bug fix suggested under http://freshmeat.net/articles/view/3333/.
We hope that we could help you with this recommendation.
If you have further questions, please contact the Siemens CardOS hotline under:
scs-support.med@siemens.com
Phone: +49 89 636 35996 (Mo.-Fr. 9:00-17:00 German time)
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
External Source: BID
Name: 30473
Type: Patch Information
External Source: FEDORA
Name: FEDORA-2009-2267
External Source: XF
Name: opensc-smartcard-cryptotoken-weak-security(44140)
External Source: CONFIRM
Name: http://www.opensc-project.org/security.html
External Source: MLIST
Name: [opensc-announce] 20080731 OpenSC Security Vulnerability and new Versions of OpenSC, OpenCT, LibP11, Pam_P11, Engine_PKCS11
External Source: MANDRIVA
Name: MDVSA-2008:183
External Source: GENTOO
Name: GLSA-200812-09
External Source: SECUNIA
Name: 34362
External Source: SECUNIA
Name: 33115
External Source: SECUNIA
Name: 32099
External Source: SECUNIA
Name: 31360
External Source: SECUNIA
Name: 31330
External Source: SUSE
Name: SUSE-SR:2009:004
External Source: SUSE
Name: SUSE-SR:2008:019
External Source: DEBIAN
Name: DSA-1627