CVE-2019-19479

Vulnerability

The vulnerability exists in OpenSC versions through 0.19.0 and 0.20.x through 0.20.0-rc3. In libopensc/card-setcos.c, the function parse_sec_attr_44 performs an incorrect read operation when parsing a SETCOS file attribute. Specifically, the line iPinCount = iACLen - 1; does not check if iACLen is zero before subtracting, leading to an out-of-bounds read if iACLen is zero [3]. This occurs during the processing of security attributes of a SETCOS card.

Exploitation

An attacker would need to provide a crafted SETCOS card or a malicious file with a manipulated security attribute that causes iACLen to be zero. The attacker must have physical access to the card reader or be able to supply a crafted file to the OpenSC library. No authentication is required beyond the ability to trigger the parsing of the file attributes. The incorrect read occurs when the library processes the attribute, leading to an out-of-bounds read from the buffer.

Impact

The out-of-bounds read can result in the disclosure of sensitive information from memory, such as cryptographic keys or other data processed by the library. The impact is limited to information disclosure; there is no evidence of code execution or privilege escalation from this vulnerability. The severity is considered moderate, as it requires a crafted card or file to be parsed.

Mitigation

The fix was implemented in commit c3f23b836e5a1766c36617fe1da30d22f7b63de2 [3] and is included in OpenSC version 0.20.0, released on 2019-12-29 [1]. Users should upgrade to OpenSC 0.20.0 or later. For those unable to upgrade, no workaround is available; the vulnerability is addressed only by updating the library.