CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init
The reported issues are part of the libopensc library, which makes them accessible from OpenSC tools, PKCS#11 module, minidriver, or CTK. One is only relevant to handling the card enrollment using the pkcs15-init tool. The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so they are considered high complexity and low severity.
The problem is missing initialization of variables expected to be initialized (as arguments to other functions, etc.). The uninitialized variables were reflected in the following functions:
- cac_read_file
- calling function for reading files with uninitialized values for buffer and length (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac.c#L389)
- found via fuzz_card, fuzz_pkcs11, fuzz_pkcs15_crypt
- fixed with 5e4f26b510b04624386c54816bf26aacea0fe4a1
- piv_get_challenge
- uninitialized value later used in piv_get_challenge, since variables are not initialized by sc_asn1_read_tag (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-piv.c#L4459)
- found via fuzz_pkcs11
- fixed with 7d68a7f442e38e16625270a0fdc6942c9e9437e6
- sc_asn1_decode_object_id
- uninitialized values come from sc_pkcs15_get_name_from_dn function (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-cert.c#L172)
- found via fuzz_pkcs11
- fixed with bb3dedb71e59bd17f96fd4e807250a5cf2253cb7
- sc_pkcs15emu_sc_hsm_decode_cvc
- uninitialized values not filled by sc_asn1_read_tag function (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-sc-hsm.c#L389)
- found via fuzz_pkcs15_crypt
- fixed with 42d718dfccd2a10f6d26705b8c991815c855fa3b
- do_init_app, sc_pkcs15init_create_pin
- uninitialized value comes from do_pin_flags (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/profile.c#L1812)
- found via fuzz_pkcs15init
- fixed with bde991b0fe4f0250243b0e4960978b1043c13b03
Affected versions: all before 0.26.0
Originally reported by Matteo Marini (Sapienza University of Rome)
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L (3.9)