var-201904-1363
Vulnerability from variot
The session cookie generated by the CUPS web interface was easy to guess on Linux, allowing unauthorized scripted access to the web interface when the web interface is enabled. This issue affected versions prior to v2.2.10. CUPS is prone to a security weakness. Successfully exploiting this issue may allow attackers to bypass security mechanism. This may lead to other attacks. CPUS is an open source printing system. This vulnerability stems from configuration errors in network systems or products during operation. An unauthorized attacker could exploit the vulnerability to obtain sensitive information of the affected components. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
X41 D-Sec GmbH Security Advisory: X41-2018-005
Multiple Vulnerabilities in Apple smartcardservices
Overview
Confirmed Affected Versions: e3eb96a6eff9d02497a51b3c155a10fa5989021f Confirmed Patched Versions: 8eef01a5e218ae78cc358de32213b50a601662de Vendor: Apple Vendor URL: https://smartcardservices.github.io/ Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-005-smartcardservices/
Summary and Impact
Attackers with local access can exploit security issues in the smartcard driver. These result in memory corruptions, which might lead to code execution. Since smartcards can be used for authentication, the vulnerabilities may allow an attacker to login to the system without valid credentials as any user. X41 did not perform a full test or audit on the software.
Product Description
The Smart Card Services project is comprised of several components which, when combined, provide the necessary abstraction layer and integration of smart cards into Appleas CDSA implementation.
Stack based buffer overflow
Severity Rating: Medium Vector: APDU Response CVE: CVE-2018-4300 CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary and Impact
In file Tokend/CAC/CACRecord.cpp the function CACCertificateRecord::getDataAttribute() might overwrite the value certificate and possibly other stack data, if a smartcard provides malicious data.
{% highlight c++ %} unsigned char command[] = { 0x80, 0x36, 0x00, 0x00, 0x64 }; unsigned char result[MAXBUFFERSIZE]; sizet resultLength = sizeof(result); uint8 certificate[CACMAXSIZECERT]; uint8 uncompressed[CACMAXSIZECERT]; sizet certificateLength = 0; try { PCSC::Transaction (cacToken); cacToken.select(mApplication); uint32t cacreturn; do { cacreturn = cacToken.exchangeAPDU(command, sizeof(command), result, resultLength); if ((cacreturn & 0xFF00) != 0x6300) CACError::check(cacreturn); sizet requested = command[4]; if (resultLength != requested + 2) PCSC::Error::throwMe(SCARDEPROTOMISMATCH); memcpy(certificate + certificateLength, result, resultLength - 2); certificateLength += resultLength - 2; // Number of bytes to fetch next time around is in the last byte // returned. command[4] = cacreturn & 0xFF; } while ((cacreturn & 0xFF00) == 0x6300); } catch (...) { return NULL; } {% endhighlight %}
As long as the smartcard returns a return code of 0x63FF, more data is copied into the certificate buffer, causing a stack based overflow. A malicious smartcard is able to control all of the overflowed bytes.
Workarounds
None
Stack based buffer overflow with limited input
Severity Rating: Medium Vector: APDU Response CVE: CVE-2018-4301 CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary and Impact
In file Tokend/PKCS11/GemaltoKeyHandle.cpp the function GemaltoPrivateKeyRecord::computeDecrypt() might overwrite the value strData if the supplied dataLength is too big.
{% highlight c++ %}
void GemaltoPrivateKeyRecord::computeDecrypt(GemaltoToken
&gemaltoToken, CKULONG mech, const AccessCredentials cred, unsigned
char data, sizet dataLength, unsigned char output, size_t &outputLength)
{
GemaltoToken::log("\nGemaltoPrivateKeyRecord::computeDecrypt
The attacker might control the data which is to be decrypted, but exploitation is limited by the sprintf() format string.
Workarounds
None
Timeline
2018-02-03 Issues found 2018-05-22 Vendor contacted 2018-05-22 Automated vendor reply 2018-05-23 Personal vendor reply 2018-06-05 Requesting technical feedback from the vendor 2018-06-22 Vendor states that the bugs are fixed in public git 2018-07-12 CVE IDs assigned 2018-08-03 https://smartcardservices.github.io/security/ updated 2018-08-11 Advisory released
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 GeschA$?ftsfA1/4hrer: Markus Vervier -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3ScACgkQo5Klpg50 CxCRNQ/+I+0oXn6oWXNARh+qU+fBxuUx8ydAIgDvEeBQddHAWaHQpVzkE7xgSZbg wUsmCMGEvAd6Jvfc4rH1gHy3jHl4zdLs7XDSslYUC3hc+BgsfvSR078+zNzzZ1yX 7Fe4vpq2Oep4Vbq2Y8wBrh5zui4PoS2afFRHKY5KaEKuzfvQGOS5WcKdFwm0WZNB 4l+b3ie/v2pBA7/YglYACyNkZU8bsNDAumuVeMP5MFdT0S88eE4hCwo3QJ1GurR5 4L5B+QDUwbMCA4pgH5ifOpdgDtHTLnYvoIKZGPT8Vu7lbjlHCdFKOjw52aiBqaHo iac/RBE8EzWjmeqE9UbHB6U0PeFdWbjVGhlPNBn1wErwyj18hK2rZRIJR0kGdBXU +1SXhxYbR4a2pB4VQcIpqWSQqgMe3IwoXIPpY5IIZwV/StjZ6/mnRMxZgiF7JnPQ OgI/F2AWFryJWtEtQ6gXAGEE2dkInVALo0ym509d5gRkkfAcoJXpSM3oa3BcOanV DJ3tMIE0H8UKXwL3EvRn02TvuZpbtvSDUyZniBl9vl5FMQJCK8Zh++jX9dOvplsR a/Ytuxt4KWFtuzU/gaQ5BjBHS80m9M7HJzMMohYY60Yyr4aczZxd8/8lZpggMNKE gDrded2INA+9ybxlcnWpSTIoD+Cl034kCqOWcjVzWW6/tYIiN+Q= =9tdn -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201904-1363",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "cups",
"scope": "lt",
"trust": 1.8,
"vendor": "apple",
"version": "2.2.10"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "2.0.1"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.7.4"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.7.3"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.3.11"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.3.7"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.3.5"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.21"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.20"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.18"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.17"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "2.0.3"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "2.0.2"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "2.0"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.7.2"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.7.1"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.7.0"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.5.4"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.5.3"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.5.2"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.5.1"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.5.0"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.4.7"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.4.6"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.4.5"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.4.4"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.4.3"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.4.2"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.4.1"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.4.0"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.3.6"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.3.4"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.3.3"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.3.2"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.3.10"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.3.1"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.3.0"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.2.9"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.2.8"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.2.7"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.2.6"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.2.5"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.2.4"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.2.3"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.2.2"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.2.12"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.2.11"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.2.10"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.2.1"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.2.0"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.9"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.8"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.7"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.5"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.4"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.3"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.2"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.19"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.16"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.15"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.14"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.13"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.12"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.11"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.10"
},
{
"model": "cups",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "1.1.1"
},
{
"model": "cups",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "2.2.10"
}
],
"sources": [
{
"db": "BID",
"id": "107785"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015212"
},
{
"db": "NVD",
"id": "CVE-2018-4300"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apple:cups:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.2.10",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-4300"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Unknown",
"sources": [
{
"db": "BID",
"id": "107785"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-134"
}
],
"trust": 0.9
},
"cve": "CVE-2018-4300",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-4300",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-134331",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.9,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-4300",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-4300",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201904-134",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-134331",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134331"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015212"
},
{
"db": "NVD",
"id": "CVE-2018-4300"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-134"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The session cookie generated by the CUPS web interface was easy to guess on Linux, allowing unauthorized scripted access to the web interface when the web interface is enabled. This issue affected versions prior to v2.2.10. CUPS is prone to a security weakness. \nSuccessfully exploiting this issue may allow attackers to bypass security mechanism. This may lead to other attacks. CPUS is an open source printing system. This vulnerability stems from configuration errors in network systems or products during operation. An unauthorized attacker could exploit the vulnerability to obtain sensitive information of the affected components. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nX41 D-Sec GmbH Security Advisory: X41-2018-005\n\nMultiple Vulnerabilities in Apple smartcardservices\n===================================================\n\n\nOverview\n- --------\nConfirmed Affected Versions: e3eb96a6eff9d02497a51b3c155a10fa5989021f\nConfirmed Patched Versions: 8eef01a5e218ae78cc358de32213b50a601662de\nVendor: Apple\nVendor URL: https://smartcardservices.github.io/\nCredit: X41 D-Sec GmbH, Eric Sesterhenn\nStatus: Public\nAdvisory-URL:\nhttps://www.x41-dsec.de/lab/advisories/x41-2018-005-smartcardservices/\n\n\nSummary and Impact\n- ------------------\nAttackers with local access can exploit security issues in the\nsmartcard driver. These result in memory corruptions, which might lead\nto code execution. Since smartcards can be used for authentication,\nthe vulnerabilities may allow an attacker to login to the system\nwithout valid credentials as any user. \nX41 did not perform a full test or audit on the software. \n\n\nProduct Description\n- -------------------\nThe Smart Card Services project is comprised of several components\nwhich, when combined, provide the necessary abstraction layer and\nintegration of smart cards into Appleas CDSA implementation. \n\nStack based buffer overflow\n===========================\nSeverity Rating: Medium\nVector: APDU Response\nCVE: CVE-2018-4300\nCWE: 120\nCVSS Score: 7.1 (High)\nCVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\n\n\nSummary and Impact\n- ------------------\nIn file Tokend/CAC/CACRecord.cpp the function\nCACCertificateRecord::getDataAttribute() might overwrite the value\ncertificate and possibly other stack data, if a smartcard provides\nmalicious data. \n\n{% highlight c++ %}\n unsigned char command[] = { 0x80, 0x36, 0x00, 0x00, 0x64 };\n unsigned char result[MAXBUFFERSIZE];\n sizet resultLength = sizeof(result);\n uint8 certificate[CACMAXSIZECERT];\n uint8 uncompressed[CACMAXSIZECERT];\n sizet certificateLength = 0;\n try\n {\n PCSC::Transaction (cacToken);\n cacToken.select(mApplication);\n uint32t cacreturn;\n do\n {\n cacreturn = cacToken.exchangeAPDU(command,\nsizeof(command), result,\n resultLength);\n if ((cacreturn \u0026 0xFF00) != 0x6300)\n CACError::check(cacreturn);\n sizet requested = command[4];\n if (resultLength != requested + 2)\n PCSC::Error::throwMe(SCARDEPROTOMISMATCH);\n memcpy(certificate + certificateLength,\nresult, resultLength - 2);\n certificateLength += resultLength - 2;\n // Number of bytes to fetch next time around\nis in the last byte\n // returned. \n command[4] = cacreturn \u0026 0xFF;\n } while ((cacreturn \u0026 0xFF00) == 0x6300);\n }\n catch (...)\n {\n return NULL;\n }\n{% endhighlight %}\n\nAs long as the smartcard returns a return code of 0x63FF, more data is\ncopied into the certificate buffer, causing a stack based overflow. A\nmalicious smartcard is able to control all of the overflowed bytes. \n\n\nWorkarounds\n- -----------\nNone\n\nStack based buffer overflow with limited input\n==============================================\nSeverity Rating: Medium\nVector: APDU Response\nCVE: CVE-2018-4301\nCWE: 120\nCVSS Score: 7.1 (High)\nCVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\n\n\nSummary and Impact\n- ------------------\nIn file Tokend/PKCS11/GemaltoKeyHandle.cpp the function\nGemaltoPrivateKeyRecord::computeDecrypt() might overwrite the value\nstrData if the supplied dataLength is too big. \n\n{% highlight c++ %}\nvoid GemaltoPrivateKeyRecord::computeDecrypt(GemaltoToken\n\u0026gemaltoToken, CKULONG mech, const AccessCredentials *cred, unsigned\nchar *data, sizet dataLength, unsigned char output, size_t \u0026outputLength)\n{\n GemaltoToken::log(\"\\nGemaltoPrivateKeyRecord::computeDecrypt\n\u003cBEGIN\u003e\\n\");\n GemaltoToken::log(\"GemaltoPrivateKeyRecord::computeDecrypt -\nmechanism \u003c%lu\u003e\\n\", mech);\n GemaltoToken::log(\"GemaltoPrivateKeyRecord::computeDecrypt -\ncred \u003c%p\u003e\\n\", cred);\n char strData[6000];\n memset(strData, \u0027\\0\u0027, sizeof(strData));\n char str = strData;\n for (size_t i=0; i\u003cdataLength; i++)\n {\n str += sprintf(str, \"%02x \", data[i]);\n }\n GemaltoToken::log(\"GemaltoPrivateKeyRecord::computeDecrypt -\ndataLength \u003c%lu\u003e - data \u003c%s\u003e\\n\", dataLength, strData);\n GemaltoToken::log(\"GemaltoPrivateKeyRecord::computeDecrypt -\noutput \u003c%p\u003e\\n\", output);\n GemaltoToken::log(\"GemaltoPrivateKeyRecord::computeDecrypt -\noutputLength \u003c%lu\u003e\\n\", outputLength);\n{% endhighlight %}\n\nThe attacker might control the data which is to be decrypted, but\nexploitation is limited by the sprintf() format string. \n\n\nWorkarounds\n- -----------\nNone\n\nTimeline\n========\n2018-02-03 Issues found\n2018-05-22 Vendor contacted\n2018-05-22 Automated vendor reply\n2018-05-23 Personal vendor reply\n2018-06-05 Requesting technical feedback from the vendor\n2018-06-22 Vendor states that the bugs are fixed in public git\n2018-07-12 CVE IDs assigned\n2018-08-03 https://smartcardservices.github.io/security/ updated\n2018-08-11 Advisory released\n- -- \nX41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen\nT: +49 241 9809418-0, Fax: -9\nUnternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989\nGeschA$?ftsfA1/4hrer: Markus Vervier\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3ScACgkQo5Klpg50\nCxCRNQ/+I+0oXn6oWXNARh+qU+fBxuUx8ydAIgDvEeBQddHAWaHQpVzkE7xgSZbg\nwUsmCMGEvAd6Jvfc4rH1gHy3jHl4zdLs7XDSslYUC3hc+BgsfvSR078+zNzzZ1yX\n7Fe4vpq2Oep4Vbq2Y8wBrh5zui4PoS2afFRHKY5KaEKuzfvQGOS5WcKdFwm0WZNB\n4l+b3ie/v2pBA7/YglYACyNkZU8bsNDAumuVeMP5MFdT0S88eE4hCwo3QJ1GurR5\n4L5B+QDUwbMCA4pgH5ifOpdgDtHTLnYvoIKZGPT8Vu7lbjlHCdFKOjw52aiBqaHo\niac/RBE8EzWjmeqE9UbHB6U0PeFdWbjVGhlPNBn1wErwyj18hK2rZRIJR0kGdBXU\n+1SXhxYbR4a2pB4VQcIpqWSQqgMe3IwoXIPpY5IIZwV/StjZ6/mnRMxZgiF7JnPQ\nOgI/F2AWFryJWtEtQ6gXAGEE2dkInVALo0ym509d5gRkkfAcoJXpSM3oa3BcOanV\nDJ3tMIE0H8UKXwL3EvRn02TvuZpbtvSDUyZniBl9vl5FMQJCK8Zh++jX9dOvplsR\na/Ytuxt4KWFtuzU/gaQ5BjBHS80m9M7HJzMMohYY60Yyr4aczZxd8/8lZpggMNKE\ngDrded2INA+9ybxlcnWpSTIoD+Cl034kCqOWcjVzWW6/tYIiN+Q=\n=9tdn\n-----END PGP SIGNATURE-----\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-4300"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015212"
},
{
"db": "BID",
"id": "107785"
},
{
"db": "VULHUB",
"id": "VHN-134331"
},
{
"db": "PACKETSTORM",
"id": "148927"
}
],
"trust": 2.07
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-134331",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134331"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-4300",
"trust": 2.9
},
{
"db": "BID",
"id": "107785",
"trust": 2.0
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015212",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201904-134",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.3656",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "148927",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-134331",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134331"
},
{
"db": "BID",
"id": "107785"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015212"
},
{
"db": "PACKETSTORM",
"id": "148927"
},
{
"db": "NVD",
"id": "CVE-2018-4300"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-134"
}
]
},
"id": "VAR-201904-1363",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-134331"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T13:48:10.424000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "v2.2.10",
"trust": 0.8,
"url": "https://github.com/apple/cups/releases/tag/v2.2.10"
},
{
"title": "CUPS Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=91057"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015212"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-134"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-200",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134331"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015212"
},
{
"db": "NVD",
"id": "CVE-2018-4300"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.3,
"url": "http://www.securityfocus.com/bid/107785"
},
{
"trust": 2.0,
"url": "https://github.com/apple/cups/releases/tag/v2.2.10"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00028.html"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4300"
},
{
"trust": 0.9,
"url": "http://www.cups.org"
},
{
"trust": 0.9,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695929"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/security/cve/cve-2018-4300"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4300"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.3656/"
},
{
"trust": 0.1,
"url": "https://smartcardservices.github.io/security/"
},
{
"trust": 0.1,
"url": "https://smartcardservices.github.io/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4301"
},
{
"trust": 0.1,
"url": "https://www.x41-dsec.de/lab/advisories/x41-2018-005-smartcardservices/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134331"
},
{
"db": "BID",
"id": "107785"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015212"
},
{
"db": "PACKETSTORM",
"id": "148927"
},
{
"db": "NVD",
"id": "CVE-2018-4300"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-134"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-134331"
},
{
"db": "BID",
"id": "107785"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015212"
},
{
"db": "PACKETSTORM",
"id": "148927"
},
{
"db": "NVD",
"id": "CVE-2018-4300"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-134"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-03T00:00:00",
"db": "VULHUB",
"id": "VHN-134331"
},
{
"date": "2019-04-03T00:00:00",
"db": "BID",
"id": "107785"
},
{
"date": "2019-05-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015212"
},
{
"date": "2018-08-14T19:32:22",
"db": "PACKETSTORM",
"id": "148927"
},
{
"date": "2019-04-03T18:29:06.017000",
"db": "NVD",
"id": "CVE-2018-4300"
},
{
"date": "2019-04-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-134"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-09-28T00:00:00",
"db": "VULHUB",
"id": "VHN-134331"
},
{
"date": "2019-04-03T00:00:00",
"db": "BID",
"id": "107785"
},
{
"date": "2019-05-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015212"
},
{
"date": "2019-09-28T12:15:10.340000",
"db": "NVD",
"id": "CVE-2018-4300"
},
{
"date": "2019-09-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-134"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-134"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "CUPS web Of the generated session of the interface cookie Vulnerable to information disclosure",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015212"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-134"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.