X41 D-Sec GmbH Security Advisory: X41-2018-002
Confirmed Affected Versions: 0.17.0
Confirmed Patched Versions: -
Vendor URL: https://github.com/OpenSC/OpenSC
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Multiple issues have been identified in OpenSC, ranging from stack based buffer overflows to out of bounds reads and writes on the heap. They can be triggered by malicious smartcards sending malformed responses to APDU commands. Additionally to those fixes reported here, a lot of minor issues (eg. OOB reads and similar) have been reported and fixed. The OpenSC team (especially Frank Morgner) did an excellent job on identifying and fixing further issues.
Due to the large amount of issues, no individual issues have been rated with CVSS / CVE ID yet.
X41 did not perform a full test or audit on the software, but tried to help identifying as many bugs as possible in over the course of a year.
OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures.
muscle_list_files() in file src/libopensc/card-muscle.c an out of bounds write might occur, since
bufLen is not checked.
tcos_select_file) in file src/libopensc/card-tcos.c a filename is extracted from an APDU response and written into the internal
No check is performed whether the string retrieved from the card fits into the buffer, which could trigger an OOB write.
piv_validate_general_authentication()in src/libopensc/card-piv.c is called with a
datalen parameter greater than 4096, an out of bound write occurs. Currently no caller seems to do this.
gemsafe_get_cert_len() in file src/libopensc/pkcs15-gemsafeV1.c might write beyond the
gemsafe_cert arrays in case more than 12 containers are stored on the card.
util_acl_to_str() in file src/tools/util.c no checks are performed whether the string put together fits into
line, which could be abused to trigger limited out of bounds writes.
read_public_key() in file src/tools/cryptoflex-tool.c the
bufsize variable is overwritten with
file->size retrieved from the smartcard. This could be bigger than 2048, allowing for a stack based buffer overflow in the
The same issue can be found in
decrypt_response() in file src/libopensc/card-epass2003.c an out of bounds overwrite can occur. No check is performed if the
plaintext buffer fits into the
out buffer before copying, leading to a memory overwrite.
cac_get_serial_nr_from_CUID() in file src/libopensc/card-cac.c a serial number is copied into
serial->value. The length argument of the
memcpy() is the length of the source, not the destination, which can lead to an out of bounds memory write.
sc_pkcs15emu_esteid_init() in file src/libopensc/pkcs15-esteid.c an off by one write with a
\x00 occurs in case the
sc_read_record() functions returns
sizeof(buf) read bytes.
sc_file_set_sec_attr() in file src/libopensc/sc.c a double free occurs in case
sec_attr_len is equal to 0, since the call to
realloc() will free
file->sec_attr and return NULL. The variable is then freed again in the error handling path.
read_file() in file src/tools/egk-tool.c a double free can be triggered in case two calls to
sc_select_file() return a
file->size of zero. The first call to
realloc() frees the memory, the second frees it again.
sc_pkcs15emu_sc_hsm_init() in file src/libopensc/pkcs15-sc-hsm.c a double free can occur, since this function can be called twice. The call to
realloc() with a size of 0 would free
priv->EF_C_DevAut with a second call freeing the already freed memory.
iasecc_select_file() in file src/libopensc/card-iasecc.c calls
iasecc_select_mf() in the same file, which calls
iasecc_select_file() again. This can lead to an infinite recursion exhausting the stack.
2018-02-03 Issues found
2018-04-18 Vendor contacted
2018-04-18 Vendor reply
2018-05-18 Technical details provided
2018-05-24 Private git branch created, fixing started
2018-08-11 Patched version released: https://github.com/x41sec/OpenSC