OpenSC Buffer Overflow Vulnerability in pkcs11-tool Key Generation Module

A buffer overflow vulnerability has been identified in OpenSC versions through 0.26.1. This issue resides in the pkcs11-tool component, specifically within the test_kpgen_certwrite function of the pkcs11-tool.c file. The vulnerability allows for a global buffer overflow during key pair generation tests by improperly validating the length of the CKA_ID attribute returned from PKCS#11 tokens or smart cards. This flaw can be exploited remotely, although the attack's complexity is considered high.

Impact

Exploitation of this vulnerability leads to a global buffer overflow, where oversized data is written beyond the bounds of a fixed-size buffer. This can corrupt adjacent global variables, alter the program's state, or overwrite function pointers, potentially allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by crafting a malicious PKCS#11 module that returns an oversized CKA_ID attribute. This module can be loaded using the pkcs11-tool, which will trigger the buffer overflow. Alternatively, the vulnerability can be exploited by using a physical smart card device with customized firmware that returns excessive attribute data during key generation, thereby activating the flaw through standard OpenSC tools.

Remediation

Users are advised to update to the latest version of OpenSC, as the vulnerability has been fixed in version 0.27.1. Instructions for downloading the latest release are available on the OpenSC GitHub page.