CVE-2023-40660

2023-11-0617:15:11

Alpine Linux Development Team

security.alpinelinux.org

opensc

pin bypass

cryptographic operations

security risk

os logon

screen unlock

token

unauthorized access

compromise system

6.6 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.6%

JSON

A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user’s awareness.

OSVersionArchitecturePackageVersionFilename
Alpineedge-communitynoarchopensc< 0.24.0-r0UNKNOWN
Alpine3.19-communitynoarchopensc< 0.24.0-r0UNKNOWN
Alpine3.20-communitynoarchopensc< 0.24.0-r0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	edge-community	noarch	opensc	< 0.24.0-r0	UNKNOWN
Alpine	3.19-community	noarch	opensc	< 0.24.0-r0	UNKNOWN
Alpine	3.20-community	noarch	opensc	< 0.24.0-r0	UNKNOWN