CVE-2023-40660

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-40660
A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.

6.6 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://www.openwall.com/lists/oss-security/2023/12/13/2
https://access.redhat.com/errata/RHSA-2023:7876
https://access.redhat.com/errata/RHSA-2023:7879
https://access.redhat.com/security/cve/CVE-2023-40660 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2240912 Issue Tracking
https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651 Issue Tracking
https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1 Release Notes
https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/11/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/
Configurations

Configuration 1 (hide)

cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
History

23 Dec 2023, 05:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/ -

22 Dec 2023, 04:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/ -

19 Dec 2023, 16:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2023:7879 -
  • () https://access.redhat.com/errata/RHSA-2023:7876 -

13 Dec 2023, 18:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2023/12/13/2 -

27 Nov 2023, 03:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-11-06 17:15

Updated : 2024-02-05 00:01

NVD link : CVE-2023-40660

Mitre link : CVE-2023-40660

CVE.ORG link : CVE-2023-40660

JSON object : View

Products Affected

redhat

  • enterprise_linux

opensc_project

  • opensc
CWE
CWE-287

Improper Authentication