*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Jamie Strandboge (jdstrand):
Binary package hint: opensc See http://www.opensc-project.org/security.html OpenSC Security Advisory [31-Jul-2008] OpenSC initializes CardOS cards with improper access rights Chaskiel M Grundman found a security vulnerability in OpenSC. The vulnerability has been fixed in OpenSC 0.11.5. In Mitre's CVE dictionary this issue is filed under CVE-2008-2235. Users will need to run "pkcs15-tool -T -U" to test (-T) and update (-U) the security settings on their card. All versions of OpenSC prior to 0.11.5 initialized smart cards with Siemens CardOS M4 card operating system without proper access right: the ADMIN file control information in the 5015 directory on the smart card was left to 00 (all access allowed). With this bug anyone can change a user PIN without having the PIN or PUK or the superusers PIN or PUK. However it can not be used to figure out the PIN. Thus if the PIN on your card is still the same you always had, then you can be sure, that noone exploited this vulnerability. This vulnerability affects only smart cards and usb crypto tokens based on Siemens CardOS M4, and within that group only those that were initialized with OpenSC. Users of other smart cards and usb crypto tokens are not affected. Users of Siemens CardOS M4 based smart cards and crypto tokens are not affected, if the card was initialized with some software other than OpenSC. The new version of OpenSC implements a simple way to verify if a card is affected or not: pkcs15-tool has now two new options: --test-update, -T Test if the card needs a security update --update, -U Update the card with a security update Running pkcs15-tool -T will either show fci is up-to-date, card is fine or fci is out-off-date, card is vulnerable If the card is vulnerable, please update the security setting using: pkcs15-tool -T -U this will show: fci is out-off-date, card is vulnerable security update applied with success. Our Mac OS X Installer Package "SCA" is also affected by this vulnerability: Version 0.2.2 and earleir are vulnerable. A new version 0.2.3 including this fix will soon be available. Our Windows Installer Package "SCB" is also affected by this vulnerability: All versions are affected. We don't have any windows developer left, so right now noone can update this package. But new windows binaries build using mingw will be soon available instead. ** Affects: opensc (Ubuntu) Importance: Undecided Status: New -- OpenSC initializes CardOS cards with improper access rights https://bugs.launchpad.net/bugs/256771 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
