CVE-2019-19481

Vulnerability

A buffer limits mishandling vulnerability exists in OpenSC through versions 0.19.0 and 0.20.0-rc3 in the function cac_cac1_get_certificate within libopensc/card-cac1.c. The code path for retrieving CAC certificates does not correctly update the buffer offset and remaining length during iterative APDU reads, potentially leading to a heap-based buffer over-read. This affects the CAC (Common Access Card) driver when processing specially crafted certificates.

Exploitation

An attacker needs to supply a malicious CAC certificate to the OpenSC library. This could happen if a user inserts a tampered smart card or if an application using OpenSC processes a crafted certificate. The exploitation does not require network access if the attacker can physically present the card; otherwise, it may require the victim to process the attacker-controlled data through OpenSC. The bug is triggered during the certificate fetching loop where the buffer pointer and remaining size are not adjusted after each read, allowing out-of-bounds reads.

Impact

Successful exploitation could lead to disclosure of sensitive memory contents (information disclosure) or potentially a crash (denial of service). The scope is limited to the OpenSC process; an attacker might read heap memory beyond the intended buffer, potentially leaking cryptographic material or other sensitive data processed by the library.

Mitigation

The fix is included in OpenSC 0.20.0, released on 2019-12-29, which corrects the buffer management logic (commit b75c002cfb1fd61cd20ec938ff4937d7b1a94278) [1][2]. Users should upgrade to version 0.20.0 or later. No workarounds are documented; the only mitigation is to use the patched version. Fedora packages have also been updated [3]. This CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog.