CVE-2023-40660Improper Authentication in Project Opensc

CWE-287Improper AuthenticationCWE-327Use of a Broken or Risky Cryptographic Algorithm9 documents8 sources
Severity
6.6MEDIUMNVD
EPSS
0.0%
top 89.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Opensc Project OpenscRedhat Enterprise Linux
Timeline
PublishedNov 6
Latest updateApr 9

Description

A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions,

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 0.7 | Impact: 5.9

Affected Packages2 packages

Debianopensc_project/opensc< 0.21.0-1+deb11u1+3

Also affects: Enterprise Linux 8.0, 9.0

🔴Vulnerability Details

3
CVEList
Opensc: potential pin bypass when card tracks its own login state2023-11-06
OSV
CVE-2023-40660: A flaw was found in OpenSC packages that allow a potential PIN bypass2023-11-06
GHSA
GHSA-7635-x5f9-5458: A flaw was found in OpenSC packages that allow a potential PIN bypass2023-11-06

📋Vendor Advisories

5
Ubuntu
OpenSC vulnerabilities2025-04-09
Ubuntu
OpenSC vulnerabilities2025-03-12
Microsoft
Opensc: potential pin bypass when card tracks its own login state2023-11-14
Red Hat
OpenSC: Potential PIN bypass when card tracks its own login state2023-09-25
Debian
CVE-2023-40660: opensc - A flaw was found in OpenSC packages that allow a potential PIN bypass. When a to...2023
CVE-2023-40660 — Improper Authentication | cvebase