full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] [PLSA 2008-33] [UPDATED] O

[Full-disclosure] [PLSA 2008-33] [UPDATED] Opensc: Security Bypass

From: Pınar Yanardağ <pinar_at_nospam>
Date: Sun Aug 31 2008 - 01:13:37 GMT
To: pardus-security@pardus.org.tr



Pardus Linux Security Advisory 2008-33 security@pardus.org.tr
Date: 2008-08-31 Severity: 2 Type: Remote ------------------------------------------------------------------------

Summary


[UPDATE]: Last security update with OpenSC 0.11.5 had a small glitch due to a strict check, so this version fixes that issue.

A security issue has been reported in OpenSC, which can be exploited by malicious people to bypass certain security restrictions.

Description


The security issue is caused due to the application improperly setting the ADMIN file control information to "00" while initializing smart cards having a Siemens CardOS M4 operating system. This can be exploited to change a user PIN code without having the PIN or PUK if the smart card was initialized with OpenSC.

Affected packages:

   Pardus 2008:
     opensc, all before 0.11.6-7-2

Resolution


There are update(s) for opensc. You can update them via Package Manager or with a single command from console:

     pisi up opensc

References


-- Pınar Yanardağ Pardus Security Team http://security.pardus.org.tr _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/