National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2008-2235 Detail

Description

OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN.

Source:  MITRE      Last Modified:  08/01/2008

Quick Info

CVE Dictionary Entry:
CVE-2008-2235
Original release date:
08/01/2008
Last revised:
08/07/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
4.9 MEDIUM
Vector:
(AV:L/AC:L/Au:N/C:N/I:C/A:N) (legend)
Impact Subscore:
6.9
Exploitability Subscore:
3.9
CVSS Version 2 Metrics:
Access Vector:
Locally exploitable
Access Complexity:
Low
Authentication:
Not required to exploit
Impact Type:
Allows unauthorized modification

Vendor Statements (disclaimer)

Official Statement from Siemens (08/14/2008)

Siemens has analyzed this report and states that no security breach can be found in the Siemens CardOS M4 itself and it thus does not relate to any Siemens component. The reported vulnerability (caused by inappropriate personalization) is due to an issue in the OPENSC middleware detailed information can be found under http://www.opensc-project.org/security.html. Therefore, Siemens recommends all customers and partners using OPENSC to use either the current version 0.11.5 of OPENSC in which this vulnerability is fixed or to use the bug fix suggested under http://freshmeat.net/articles/view/3333/. We hope that we could help you with this recommendation. If you have further questions, please contact the Siemens CardOS hotline under: scs-support.med@siemens.com Phone: +49 89 636 35996 (Mo.-Fr. 9:00-17:00 German time)

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html External Source SUSE SUSE-SR:2008:019
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html External Source SUSE SUSE-SR:2009:004
http://security.gentoo.org/glsa/glsa-200812-09.xml External Source GENTOO GLSA-200812-09
http://www.mandriva.com/security/advisories?name=MDVSA-2008:183 External Source MANDRIVA MDVSA-2008:183
http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html External Source MLIST [opensc-announce] 20080731 OpenSC Security Vulnerability and new Versions of OpenSC, OpenCT, LibP11, Pam_P11, Engine_PKCS11
http://www.opensc-project.org/security.html External Source CONFIRM http://www.opensc-project.org/security.html
http://www.securityfocus.com/bid/30473 Patch External Source BID 30473
https://exchange.xforce.ibmcloud.com/vulnerabilities/44140 External Source XF opensc-smartcard-cryptotoken-weak-security(44140)
https://www.debian.org/security/2008/dsa-1627 External Source DEBIAN DSA-1627
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html External Source FEDORA FEDORA-2009-2267

Technical Details

Vulnerability Type (View All)

Change History 3 change records found - show changes