NVD Vulnerability Detail

CVE-2009-0368

Summary	OpenSC before 0.11.7 allows physically proximate attackers to bypass intended PIN requirements and read private data objects via a (1) low level APDU command or (2) debugging tool, as demonstrated by reading the 4601 or 4701 file with the opensc-explorer or opensc-tool program.
Publication Date	March 3, 2009, 7:30 a.m.
Registration Date	Jan. 29, 2021, 1:14 p.m.
Last Update	Aug. 8, 2017, 10:33 a.m.

CVSS2.0 : LOW
Score	2.1
Vector	AV:L/AC:L/Au:N/C:P/I:N/A:N
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:opensc-project:opensc:0.3.2:::::::*
cpe:2.3:a:opensc-project:opensc:0.3.5:::::::*
cpe:2.3:a:opensc-project:opensc:0.4.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.5.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.6.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.6.1:::::::*
cpe:2.3:a:opensc-project:opensc:0.7.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.8:::::::*
cpe:2.3:a:opensc-project:opensc:0.8.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.8.0.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.8.1:::::::*
cpe:2.3:a:opensc-project:opensc:0.9:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.2:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.3:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.4:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.5:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.6:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.7:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.7:b::::::
cpe:2.3:a:opensc-project:opensc:0.9.7:d::::::
cpe:2.3:a:opensc-project:opensc:0.9.8:::::::*
cpe:2.3:a:opensc-project:opensc:0.10.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.10.1:::::::*
cpe:2.3:a:opensc-project:opensc:0.11.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.11.1:::::::*
cpe:2.3:a:opensc-project:opensc:0.11.2:::::::*
cpe:2.3:a:opensc-project:opensc:0.11.3:::::::*
cpe:2.3:a:opensc-project:opensc:0.11.3:pre3::::::
cpe:2.3:a:opensc-project:opensc:0.11.4:::::::*
cpe:2.3:a:opensc-project:opensc:0.11.5:::::::*
cpe:2.3:a:opensc-project:opensc::::::::		0.11.6

Related information, measures and tools

No	URL	refsource	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html	SUSE
2	http://openwall.com/lists/oss-security/2009/02/26/1	MLIST	Patch
3	http://secunia.com/advisories/34052	SECUNIA	Vendor Advisory
4	http://secunia.com/advisories/34120	SECUNIA
5	http://secunia.com/advisories/34362	SECUNIA
6	http://secunia.com/advisories/34377	SECUNIA
7	http://secunia.com/advisories/35065	SECUNIA
8	http://secunia.com/advisories/36074	SECUNIA
9	http://security.gentoo.org/glsa/glsa-200908-01.xml	GENTOO
10	http://www.debian.org/security/2009/dsa-1734	DEBIAN
11	http://www.opensc-project.org/pipermail/opensc-announce/2009-February/000023.html	MLIST	Vendor Advisory
12	http://www.securityfocus.com/bid/33922	BID	Exploit Patch
13	https://exchange.xforce.ibmcloud.com/vulnerabilities/48958	XF
14	https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00673.html	FEDORA
15	https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html	FEDORA

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-310	暗号の問題	https://cwe.mitre.org/data/definitions/310.html

JVN Vulnerability Information

OpenSC におけるプライベートデータオブジェクトを読まれる脆弱性

Title	OpenSC におけるプライベートデータオブジェクトを読まれる脆弱性
Summary	OpenSC には、PIN の要件を回避される、およびプライベートデータオブジェクトを読まれる脆弱性が存在します。
Possible impacts	攻撃者により、(1) 低レベルの APDU コマンドまたは (2) デバックツールを介して、PIN の要件を回避される、およびプライベートデータオブジェクトを読まれる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	March 2, 2009, midnight
Registration Date	Sept. 25, 2012, 5:27 p.m.
Last Update	Sept. 25, 2012, 5:27 p.m.

Affected System

OpenSC team

OpenSC 0.11.7 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-0368	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0368
National Vulnerability Database (NVD)
2	CVE-2009-0368	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0368

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-310	https://jvndb.jvn.jp/ja/cwe/CWE-310.html

ベンダー情報

No	Name	URL
opensc-project
1	Top page	http://www.opensc-project.org/opensc

Change Log

No	Changed Details	Date of change
0	[2012年09月25日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:opensc-project:opensc:0.3.2:::::::*
cpe:2.3:a:opensc-project:opensc:0.3.5:::::::*
cpe:2.3:a:opensc-project:opensc:0.4.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.5.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.6.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.6.1:::::::*
cpe:2.3:a:opensc-project:opensc:0.7.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.8:::::::*
cpe:2.3:a:opensc-project:opensc:0.8.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.8.0.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.8.1:::::::*
cpe:2.3:a:opensc-project:opensc:0.9:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.2:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.3:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.4:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.5:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.6:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.7:::::::*
cpe:2.3:a:opensc-project:opensc:0.9.7:b::::::
cpe:2.3:a:opensc-project:opensc:0.9.7:d::::::
cpe:2.3:a:opensc-project:opensc:0.9.8:::::::*
cpe:2.3:a:opensc-project:opensc:0.10.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.10.1:::::::*
cpe:2.3:a:opensc-project:opensc:0.11.0:::::::*
cpe:2.3:a:opensc-project:opensc:0.11.1:::::::*
cpe:2.3:a:opensc-project:opensc:0.11.2:::::::*
cpe:2.3:a:opensc-project:opensc:0.11.3:::::::*
cpe:2.3:a:opensc-project:opensc:0.11.3:pre3::::::
cpe:2.3:a:opensc-project:opensc:0.11.4:::::::*
cpe:2.3:a:opensc-project:opensc:0.11.5:::::::*
cpe:2.3:a:opensc-project:opensc::::::::		0.11.6