October 25, 2014

Buffer Overflow Flaw in Open Source Smart Card Library OpenSC

MWR InfoSecurity identified a vulnerability in OpenSC. The vulnerability can be triggered using a malicious smart card.
A buffer overflow vulnerability was identified in the code handling the smart card’s serial number in the following drivers:

  • card-atrust-acos.c
  • card-acos5.c
  • card-starcos.c

An attacker could use this vulnerability to execute arbitrary code in the target system. To successfully exploit this vulnerability the attacker will be required to insert a specially crafted smart card in the target system.
The vendor has implemented a fix. Users should upgrade to the latest version of OpenSC.

More information is available here.