Vulnerability Description
A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opensc Project | Opensc | <= 0.23.0 |
| Redhat | Enterprise Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2023:7876
- https://access.redhat.com/errata/RHSA-2023:7879
- https://access.redhat.com/security/cve/CVE-2023-40660Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2240912Issue Tracking
- https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651Issue Tracking
- https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1Release Notes
- https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisoriesVendor Advisory
- http://www.openwall.com/lists/oss-security/2023/12/13/2
- https://access.redhat.com/errata/RHSA-2023:7876
- https://access.redhat.com/errata/RHSA-2023:7879
- https://access.redhat.com/security/cve/CVE-2023-40660Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2240912Issue Tracking
- https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651Issue Tracking
- https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1Release Notes
- https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisoriesVendor Advisory
FAQ
What is CVE-2023-40660?
CVE-2023-40660 is a vulnerability with a CVSS score of 6.6 (MEDIUM). A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-...
How severe is CVE-2023-40660?
CVE-2023-40660 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-40660?
Check the references section above for vendor advisories and patch information. Affected products include: Opensc Project Opensc, Redhat Enterprise Linux.