Executive Summary
Summary | |
---|---|
Title | OpenSC: Multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | GLSA-200908-01 | First vendor Publication | 2009-08-01 |
Vendor | Gentoo | Last vendor Modification | 2009-08-01 |
Severity (Vendor) | Normal | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Synopsis Multiple vulnerabilities were found in OpenSC. Background Description * b.badrignans discovered that OpenSC incorrectly initialises private data objects (CVE-2009-0368). * Miquel Comas Marti discovered that src/tools/pkcs11-tool.c in pkcs11-tool in OpenSC 0.11.7, when used with unspecified third-party PKCS#11 modules, generates RSA keys with incorrect public exponents (CVE-2009-1603). Impact NOTE: Smart cards which were initialised using an affected version of OpenSC need to be modified or re-initialised. See the vendor's advisory for details. Workaround Resolution References http://www.opensc-project.org/pipermail/opensc-announce/2009-February/000023.html Availability http://security.gentoo.org/glsa/glsa-200908-01.xml |
Original Source
Url : http://security.gentoo.org/glsa/glsa-200908-01.xml |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-31 | Accessing/Intercepting/Modifying HTTP Cookies |
CAPEC-37 | Lifting Data Embedded in Client Distributions |
CAPEC-65 | Passively Sniff and Capture Application Code Bound for Authorized Client |
CAPEC-117 | Data Interception Attacks |
CAPEC-155 | Screen Temporary Files for Sensitive Information |
CAPEC-157 | Sniffing Attacks |
CAPEC-167 | Lifting Sensitive Data from the Client |
CAPEC-204 | Lifting cached, sensitive data embedded in client distributions (thick or thin) |
CAPEC-205 | Lifting credential(s)/key material embedded in client distributions (thick or... |
CAPEC-258 | Passively Sniffing and Capturing Application Code Bound for an Authorized Cli... |
CAPEC-259 | Passively Sniffing and Capturing Application Code Bound for an Authorized Cli... |
CAPEC-260 | Passively Sniffing and Capturing Application Code Bound for an Authorized Cli... |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-312 | Cleartext Storage of Sensitive Information |
50 % | CWE-310 | Cryptographic Issues |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13396 | |||
Oval ID: | oval:org.mitre.oval:def:13396 | ||
Title: | DSA-1734-1 opensc -- programming error | ||
Description: | b.badrignans discovered that OpenSC, a set of smart card utilities, could stores private data on a smart card without proper access restrictions. Only blank cards initialised with OpenSC are affected by this problem. This update only improves creating new private data objects, but cards already initialised with such private data objects need to be modified to repair the access control conditions on such cards. For the stable distribution, this problem has been fixed in version 0.11.4-5+lenny1. For the unstable distribution, this problem wil be fixed soon. We recommend that you upgrade your opensc package and recreate any private data objects stored on your smart cards. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1734-1 CVE-2009-0368 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | opensc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:8385 | |||
Oval ID: | oval:org.mitre.oval:def:8385 | ||
Title: | DSA-1734 opensc -- programming error | ||
Description: | B.Badrignans discovered that OpenSC, a set of smart card utilities, could store private data on a smart card without proper access restrictions. Only blank cards initialised with OpenSC are affected by this problem. This update only improves creating new private data objects, but cards already initialised with such private data objects need to be modified to repair the access control conditions on such cards. Instructions for a variety of situations can be found at the OpenSC web site: http://www.opensc-project.org/security.html The old stable distribution (etch) is not affected by this problem. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1734 CVE-2009-0368 | Version: | 3 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | opensc |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-10-13 | Name : SLES10: Security update for OpenSC File : nvt/sles10_opensc.nasl |
2009-10-11 | Name : SLES11: Security update for OpenSC File : nvt/sles11_libopensc2.nasl |
2009-08-17 | Name : Gentoo Security Advisory GLSA 200908-01 (opensc) File : nvt/glsa_200908_01.nasl |
2009-06-05 | Name : Fedora Core 9 FEDORA-2009-4883 (opensc) File : nvt/fcore_2009_4883.nasl |
2009-06-05 | Name : Fedora Core 10 FEDORA-2009-4919 (opensc) File : nvt/fcore_2009_4919.nasl |
2009-06-05 | Name : Fedora Core 10 FEDORA-2009-4928 (mingw32-opensc) File : nvt/fcore_2009_4928.nasl |
2009-06-05 | Name : Fedora Core 11 FEDORA-2009-4967 (mingw32-opensc) File : nvt/fcore_2009_4967.nasl |
2009-06-05 | Name : Mandrake Security Advisory MDVSA-2009:123 (opensc) File : nvt/mdksa_2009_123.nasl |
2009-05-20 | Name : OpenSC Incorrect RSA Keys Generation Vulnerability File : nvt/secpod_opensc_insecure_key_generation_vuln.nasl |
2009-05-20 | Name : SuSE Security Summary SUSE-SR:2009:010 File : nvt/suse_sr_2009_010.nasl |
2009-04-15 | Name : Mandrake Security Advisory MDVSA-2009:089 (opensc) File : nvt/mdksa_2009_089.nasl |
2009-03-20 | Name : Fedora Core 10 FEDORA-2009-2266 (opensc) File : nvt/fcore_2009_2266.nasl |
2009-03-20 | Name : Fedora Core 9 FEDORA-2009-2267 (opensc) File : nvt/fcore_2009_2267.nasl |
2009-03-16 | Name : OpenSC Security Bypass Vulnerability File : nvt/gb_opensc_sec_bypass_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
54499 | OpenSC pkcs11-tool src/tools/pkcs11-tool.c RSA Key Public Exponent Generation... |
52828 | OpenSC Debugging Tools PIN Requirement Bypass |
52827 | OpenSC Low Level APDU Command PIN Requirement Bypass |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2010-07-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-123.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libopensc2-090317.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_opensc-6053.nasl - Type : ACT_GATHER_INFO |
2009-08-03 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200908-01.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_libopensc2-090309.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_libopensc2-090309.nasl - Type : ACT_GATHER_INFO |
2009-06-03 | Name : The remote Fedora host is missing a security update. File : fedora_2009-4928.nasl - Type : ACT_GATHER_INFO |
2009-06-03 | Name : The remote Fedora host is missing a security update. File : fedora_2009-4967.nasl - Type : ACT_GATHER_INFO |
2009-06-01 | Name : The remote Fedora host is missing a security update. File : fedora_2009-4883.nasl - Type : ACT_GATHER_INFO |
2009-06-01 | Name : The remote Fedora host is missing a security update. File : fedora_2009-4919.nasl - Type : ACT_GATHER_INFO |
2009-05-01 | Name : The remote openSUSE host is missing a security update. File : suse_libopensc2-6071.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2009-2266.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-089.nasl - Type : ACT_GATHER_INFO |
2009-03-19 | Name : The remote Fedora host is missing a security update. File : fedora_2009-2267.nasl - Type : ACT_GATHER_INFO |
2009-03-08 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1734.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:36:38 |
|