CVE-2019-15946

Vulnerability

The vulnerability resides in the asn1_decode_entry function within libopensc/asn1.c. It is an out-of-bounds access when decoding an ASN.1 Octet string. The issue occurs when the SC_ASN1_UNSIGNED flag is set and the code checks for a leading zero byte (obj[0] == 0x00) without first verifying that the buffer length (objlen) is greater than 1. This can lead to reading one byte before the start of the allocated buffer if objlen is 1 or 0. The bug affects OpenSC versions before 0.20.0-rc1 [1][4].

Exploitation

To exploit this, an attacker needs to supply a crafted ASN.1 structure (e.g., from a malicious smartcard or a manipulated PKCS#11 token) that triggers the vulnerable code path. No special privileges are required beyond presenting the malicious data to an application using OpenSC's library. The flaw is triggered during decoding of an Octet string that has the SC_ASN1_UNSIGNED flag and a length of 1 or 0 [1][4].

Impact

A successful out-of-bounds read can cause a crash (denial of service), and under certain conditions could leak sensitive memory contents. The attacker does not gain code execution from this read-only OOB access, but the confidentiality impact may include disclosure of adjacent memory [1][4].

Mitigation

The fix was included in OpenSC version 0.20.0-rc1, released on GitHub as a commit (a3fc7693) that reorders the condition to check objlen > 1 before accessing obj[0] [4]. The official 0.20.0 release further addressed this and other fuzzing-discovered vulnerabilities [2]. Users should upgrade to OpenSC 0.20.0 or later. No workaround is available for unpatched versions.