CVE-2023-40661

Description

Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow compromise key generation, certificate loading, and other card management operations during enrollment.

How to fix CVE-2023-40661

To remediate CVE-2023-40661, upgrade the affected package to a fixed version below.

—upgrade to 0.21.0-1+deb11u1 or later

Is CVE-2023-40661 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.21.0-1+deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.4	CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-40661