Opensc: side-channel leaks while stripping encryption pkcs#1 padding

Vulnerability

In OpenSC versions before 0.25.0, the PKCS#1 v1.5 encryption padding removal is not implemented in a side-channel resistant (constant-time) manner [4]. When a smart card provides only raw RSA decryption, OpenSC performs the padding removal in software. This timing-dependency applies to the common code path handling RSA decryption operations [1][4].

Exploitation

An attacker must have network access to a system using an affected OpenSC version and be able to measure the time taken by RSA decryption operations (e.g., over a local or remote connection with high-resolution timing). By capturing multiple RSA ciphertexts and observing the decryption timing, the attacker can extract information about the plaintext [2][4]. No authentication or user interaction beyond normal smart card use is required, but the attack requires high precision timing measurements classified as complex [4].

Impact

Successful exploitation allows recovery of the plaintext of previously captured RSA ciphertexts (confidentiality breach) and, potentially, forgery of RSA signatures (integrity breach) [4]. The CVSS v3.0 base score for this vulnerability is 5.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) [4].

Mitigation

A fix is available in OpenSC version 0.25.0, released with constant-time PKCS#1 v1.5 depadding [4]. Red Hat Enterprise Linux 9 shipped updated opensc-0.23.0-4.el9_3 packages via RHSA-2024:0966 and RHSA-2024:0967 [1][3]. Users should upgrade to the patched version or apply vendor-supplied updates. No workarounds are documented for unpatched installations.