Vulnerability Details : CVE-2008-2235
OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN.
Products affected by CVE-2008-2235
- cpe:2.3:a:opensc-project:opensc:0.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.8:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.9.7:d:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.11.3:pre3:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:opensc-project:opensc:0.9.7:b:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-2235
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 18 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-2235
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.9
|
MEDIUM | AV:L/AC:L/Au:N/C:N/I:C/A:N |
3.9
|
6.9
|
NIST |
CWE ids for CVE-2008-2235
-
Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2008-2235
-
Siemens 2008-08-14Siemens has analyzed this report and states that no security breach can be found in the Siemens CardOS M4 itself and it thus does not relate to any Siemens component. The reported vulnerability (caused by inappropriate personalization) is due to an issue in the OPENSC middleware detailed information can be found under http://www.opensc-project.org/security.html. Therefore, Siemens recommends all customers and partners using OPENSC to use either the current version 0.11.5 of OPENSC in which this vulnerability is fixed or to use the bug fix suggested under http://freshmeat.net/articles/view/3333/. We hope that we could help you with this recommendation. If you have further questions, please contact the Siemens CardOS hotline under: scs-support.med@siemens.com Phone: +49 89 636 35996 (Mo.-Fr. 9:00-17:00 German time)
References for CVE-2008-2235
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/44140
OpenSC smart cards and USB crypto token weak security CVE-2008-2235 Vulnerability Report
-
http://secunia.com/advisories/34362
About Secunia Research | Flexera
-
http://secunia.com/advisories/31360
About Secunia Research | Flexera
-
http://secunia.com/advisories/32099
About Secunia Research | Flexera
-
http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html
Page not found – opensc-project.org
-
http://www.securityfocus.com/bid/30473
Patch
-
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:004 - openSUSE Security Announce - openSUSE Mailing Lists
-
http://security.gentoo.org/glsa/glsa-200812-09.xml
OpenSC: Insufficient protection of smart card PIN (GLSA 200812-09) — Gentoo security
-
http://www.mandriva.com/security/advisories?name=MDVSA-2008:183
Mandriva
-
https://www.debian.org/security/2008/dsa-1627
Debian -- Security Information -- DSA-1627-2 opensc
-
http://secunia.com/advisories/31330
About Secunia Research | Flexera
-
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html
[SECURITY] Fedora 9 Update: opensc-0.11.7-1.fc9
-
http://secunia.com/advisories/33115
About Secunia Research | Flexera
-
http://www.opensc-project.org/security.html
Page not found – opensc-project.org
-
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2008:019 - openSUSE Security Announce - openSUSE Mailing Lists
Jump to