CVE-2024-45616
LowCVSS 3.9Exploitation Probability (EPSS)
Low risk27th percentile — higher than 27% of all known CVEs
Summary
A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK due to insufficient control of the response APDU buffer and its length during card communication. An attacker could use a crafted USB device or smart card to present specially crafted APDU responses.
Risk Assessment
The risk for the organization includes potential remote code execution or system integrity compromise by an attacker physically connecting a malicious USB device or smart card. This could lead to system takeover or sensitive data leakage.
Recommendation
It is recommended to immediately update OpenSC to the latest version containing security fixes. Additionally, restrict physical access to systems and use only trusted USB devices and smart cards.
Original NVD description (English source)
A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card.

