OpenSC Stack-Buffer-Overflow Vulnerability in GET RESPONSE APDU Processing

A stack-buffer-overflow vulnerability has been identified in OpenSC versions prior to 0.27.0. This issue arises in the libopensc library during the processing of the GET RESPONSE APDU, where a malicious smart card can cause the driver to write beyond the allocated buffer. The vulnerability requires physical access to the computer and a crafted USB device or smart card that delivers specially tailored responses to the APDUs. Affected card drivers include skeid, cardos, cyberflex, gemsafeV1, starcos, tcos, oberthur, authentic, iasecc, belpic, entersafe, rutoken_ecp, myeid, dnie, MaskTech, esteid2018, idprime, edo, coolkey, muscle, sc-hsm, mcrd, setcos, PIV-II, cac, itacns, isoApplet, gids, openpgp, jpki, npa, cac1, nqapplet, eOI, and default.

Impact

Exploitation of this vulnerability leads to a stack-buffer-overflow write, allowing for potential arbitrary code execution or causing a crash by overwriting the return address on the stack.

Reproduction

To reproduce this vulnerability, a crafted USB device or smart card must be used that can send specially crafted responses to the APDUs during the GET RESPONSE command. This requires physical access to the computer while a user or administrator is actively using a token that interfaces with the vulnerable card drivers.

Remediation

Users are advised to update OpenSC to version 0.27.0 or later, where this vulnerability has been patched.