6.6

CVE-2023-40660

EPSS 0.03%
Published 06.11.2023 17:15:11
Last modified 04.12.2024 08:15:04
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.

Affected products Warnungen 0 Metrics 3 CWE 1 References 14

Data is provided by the National Vulnerability Database (NVD)

Opensc Project ≫ Opensc Version <= 0.23.0

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Enterprise Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.083

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.6	0.7	5.9	CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
secalert@redhat.com	6.6	0.7	5.9	CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://access.redhat.com/errata/RHSA-2023:7876

https://access.redhat.com/errata/RHSA-2023:7879

https://access.redhat.com/security/cve/CVE-2023-40660

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2240912

Issue Tracking

https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651

Issue Tracking

https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1

Release Notes

https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories

Vendor Advisory

http://www.openwall.com/lists/oss-security/2023/12/13/2

https://lists.debian.org/debian-lts-announce/2023/11/msg00024.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/

https://nvd.nist.gov/vuln/detail/CVE-2023-40660

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-40660

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-40660

EUVD