OpenSC PAM-PKCS#11 Segmentation Fault Vulnerability in Versions Prior to 0.6.12
Vulnerability
A segmentation fault vulnerability has been identified in the OpenSC PAM-PKCS#11 module, specifically in versions through 0.6.12. This issue arises when a user interrupts the PIN entry process by pressing Ctrl-C or Ctrl-D. The root cause is an attempt to clear an uninitialized password buffer, which leads to a crash. This vulnerability can impact the availability of systems using this PAM module, as it may cause related daemons to crash. As of now, no patch is available for this issue.
Impact
Exploitation of this vulnerability causes a segmentation fault, leading to a crash of the PAM-enabled application. This could disrupt services or processes that rely on PAM for authentication, potentially causing availability issues.
Reproduction
To reproduce this vulnerability, use a YubiKey with the OpenSC PAM-PKCS#11 module installed. When prompted for a PIN, interrupt the input by pressing Ctrl-C or Ctrl-D. This action will trigger a segmentation fault, causing the application to crash.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.