Here is our security announcement and information about our new versions.
OpenSC Security Advisory [31-Jul-2008]
OpenSC initializes CardOS cards with improper access rights
-------------------------------------------------------------------------------------------
Chaskiel M Grundman found a security vulnerability in OpenSC.
The vulnerability has been fixed in OpenSC 0.11.5.
In Mitre's CVE dictionary this issue is filed under CVE-2008-2235.
Users will need to run "pkcs15-tool -T -U" to test (-T) and
update (-U) the security settings on their card.
All versions of OpenSC prior to 0.11.5 initialized smart cards
with Siemens CardOS M4 card operating system without proper
access right: the ADMIN file control information in the 5015
directory on the smart card was left to 00 (all access allowed).
With this bug anyone can change a user PIN without having the PIN
or PUK or the superusers PIN or PUK. However it can not be used
to figure out the PIN. Thus if the PIN on your card is still the
same you always had, then you can be sure, that noone exploited
this vulnerability.
This vulnerability affects only smart cards and usb crypto tokens
based on Siemens CardOS M4, and within that group only those that
were initialized with OpenSC.
Users of other smart cards and usb crypto tokens are not affected.
Users of Siemens CardOS M4 based smart cards and crypto tokens are
not affected, if the card was initialized with some software other
than OpenSC.
The new version of OpenSC implements a simple way to verify if a
card is affected or not:
pkcs15-tool has now two new options:
--test-update, -T Test if the card needs a security update
--update, -U Update the card with a security update
Running
pkcs15-tool -T
will either show
fci is up-to-date, card is fine
or
fci is out-off-date, card is vulnerable
If the card is vulnerable, please update the security setting using:
pkcs15-tool -T -U
this will show:
fci is out-off-date, card is vulnerable
security update applied with success.
Our Mac OS X Installer Package "SCA" is also affected by this vulnerability:
Version 0.2.2 and earleir are vulnerable. A new version 0.2.3 including this
fix will soon be available at
http://www.opensc-project.org/
Our Windows Installer Package "SCB" is also affected by this vulnerability:
All versions are affected. We don't have any windows developer left, so right
now noone can update this package. But new windows binaries build using mingw
will be soon available at
http://www.opensc-project.org/files/build/
New Versions
========
Today we release new versions of many projects:
OpenCT 0.6.15
http://www.opensc-project.org/files/openct/openct-0.6.15.tar.gz
OpenSC 0.11.5
http://www.opensc-project.org/files/opensc/opensc-0.11.5.tar.gz
Libp11 0.2.4
http://www.opensc-project.org/files/libp11/libp11-0.2.4.tar.gz
Pam_P11 0.1.4
http://www.opensc-project.org/files/pam_p11/pam_p11-0.1.4.tar.gz
Engine_PKCS11 0.1.5
http://www.opensc-project.org/files/engine_pkcs11/engine_pkcs11-0.1.5.tar.gz
Important: older versions of OpenSC had a security vulnerability.
Please update to the new version. If you used OpenSC to initialize
plain smart cards or usb crypto tokens using Siemens Cardos M4,
then you will need to update your card to fix the wrong configuration.
pkcs15-tool -T -U
Will do this for you.
Changes in OpenCT 0.6.15 released 2008-07-31
* Build system rewritten (NOTICE: configure options was modified).
* Build system rewritten (NOTICE: configure options was modified).
* None privileged configuration added, as a result /etc/openct.conf ifdhandler
was modified, please review sample at etc/openct.conf before upgrade.
* The usb device add (/dev/bus/usb/$env{BUSNUM}/$env{DEVNUM}) udev rule is now
available in separate file, as it should be available at most distributions,
and may conflict. Install this only if you are using old udev that miss this
statement.
* Basic coldplug support on Linux is available without libusb dependency.
* CCID-1.10 is now supported.
Changes in OpenSC 0.11.5 released 2008-07-31
* Apply security fix for cardos driver and extend pkcs15-tool to
test cards for the security vulnerability and update them.
* Build system rewritten (NOTICE: configure options was modified).
The build system can produce outputs for *NIX, cygwin and native
windows (using mingw).
* ruToken now supported.
* Allow specifying application name for data objects.
* Basic reader hotplug support.
* PC/SC library is dynamic linked no longer compile time dependency.
* PKCS#11 provider is now installed at LIBDIR/pkcs11
* PKCS#11 - Number of virtual slots moved into configuration.
* PKCS#11 - Fix fork() compliance.
* make sign_with_decrypt hack configureable for siemens cards.
Changes in Lib_P11 0.2.4 released 2008-07-31
* Build system rewritten (NOTICE: configure options was modified).
The build system can produce outputs for *NIX, cygwin and native
windows (using mingw).
* added PKCS11_CTX_init_args (David Smith).
* fix segfault in init_args code.
* implemented PKCS11_private_encrypt (with PKCS11_sign now based on it)
(Arnaud Ebalard)
Changes in Pam_P11 0.1.4 released 2008-07-31
* new version with a number of build fixes
Changes in Engine PKCS#11 0.1.5 released 2008-07-31
* Build system rewritten (NOTICE: configure options was modified).
The build system can produce outputs for *NIX, cygwin and native
windows (using mingw).
* cleanup pin code, always use MAX_PIN_LENGTH, proper cleanup.
* new use PKCS11_CTX_init_args (David Smith)
* fix segfault in init_args code.
* needs new version of libp11 (0.2.4 or later).
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
