CVE Catalog

CVE-2024-45616

LowCVSS 3.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

27th percentile — higher than 27% of all known CVEs

Summary

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK due to insufficient control of the response APDU buffer and its length during card communication. An attacker could use a crafted USB device or smart card to present specially crafted APDU responses.

Risk Assessment

The risk for the organization includes potential remote code execution or system integrity compromise by an attacker physically connecting a malicious USB device or smart card. This could lead to system takeover or sensitive data leakage.

Recommendation

It is recommended to immediately update OpenSC to the latest version containing security fixes. Additionally, restrict physical access to systems and use only trusted USB devices and smart cards.

Original NVD description (English source)

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS