{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-07-31T00:00:00", "descriptions": [{"lang": "en", "value": "OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-07T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "30473", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/30473"}, {"name": "31330", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31330"}, {"name": "34362", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/34362"}, {"name": "MDVSA-2008:183", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:183"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.opensc-project.org/security.html"}, {"name": "33115", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/33115"}, {"name": "SUSE-SR:2009:004", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"}, {"name": "31360", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31360"}, {"name": "FEDORA-2009-2267", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html"}, {"name": "DSA-1627", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2008/dsa-1627"}, {"name": "[opensc-announce] 20080731 OpenSC Security Vulnerability and new Versions of OpenSC, OpenCT, LibP11, Pam_P11, Engine_PKCS11", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html"}, {"name": "32099", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/32099"}, {"name": "SUSE-SR:2008:019", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html"}, {"name": "GLSA-200812-09", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200812-09.xml"}, {"name": "opensc-smartcard-cryptotoken-weak-security(44140)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44140"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-2235", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "30473", "refsource": "BID", "url": "http://www.securityfocus.com/bid/30473"}, {"name": "31330", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31330"}, {"name": "34362", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34362"}, {"name": "MDVSA-2008:183", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:183"}, {"name": "http://www.opensc-project.org/security.html", "refsource": "CONFIRM", "url": "http://www.opensc-project.org/security.html"}, {"name": "33115", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/33115"}, {"name": "SUSE-SR:2009:004", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"}, {"name": "31360", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31360"}, {"name": "FEDORA-2009-2267", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html"}, {"name": "DSA-1627", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2008/dsa-1627"}, {"name": "[opensc-announce] 20080731 OpenSC Security Vulnerability and new Versions of OpenSC, OpenCT, LibP11, Pam_P11, Engine_PKCS11", "refsource": "MLIST", "url": "http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html"}, {"name": "32099", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/32099"}, {"name": "SUSE-SR:2008:019", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html"}, {"name": "GLSA-200812-09", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-200812-09.xml"}, {"name": "opensc-smartcard-cryptotoken-weak-security(44140)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44140"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T08:49:58.703Z"}, "title": "CVE Program Container", "references": [{"name": "30473", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/30473"}, {"name": "31330", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31330"}, {"name": "34362", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/34362"}, {"name": "MDVSA-2008:183", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:183"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.opensc-project.org/security.html"}, {"name": "33115", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/33115"}, {"name": "SUSE-SR:2009:004", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"}, {"name": "31360", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31360"}, {"name": "FEDORA-2009-2267", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html"}, {"name": "DSA-1627", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2008/dsa-1627"}, {"name": "[opensc-announce] 20080731 OpenSC Security Vulnerability and new Versions of OpenSC, OpenCT, LibP11, Pam_P11, Engine_PKCS11", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html"}, {"name": "32099", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/32099"}, {"name": "SUSE-SR:2008:019", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html"}, {"name": "GLSA-200812-09", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://security.gentoo.org/glsa/glsa-200812-09.xml"}, {"name": "opensc-smartcard-cryptotoken-weak-security(44140)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44140"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-2235", "datePublished": "2008-08-01T14:00:00", "dateReserved": "2008-05-16T00:00:00", "dateUpdated": "2024-08-07T08:49:58.703Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:cardos:m4:*:*:*:*:*:*:*", "matchCriteriaId": "FEF8B710-EAF0-4381-B1C5-B2EAA91737DE", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:opensc-project:opensc:0.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "7D734B35-BA7F-4219-98DA-FCD55E5A37C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "349D5BCA-885C-4948-838E-E3904E49598E", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "471DBF4E-54B8-4776-A0BA-0F65FE02192E", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "EA4321E6-1D08-489C-948F-2673C30D762C", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "8498096A-19A9-4C09-99C3-CC1C45D6BA40", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "5028CF13-2807-4813-A542-A1CD6E735CC5", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.8:*:*:*:*:*:*:*", "matchCriteriaId": "8FD4CB51-068C-4AD2-94AC-59DE20A2AB77", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D8CA0B8-AC3B-4D0F-854D-EDF285EC01CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "931CE287-97AF-4B73-BA57-FB9B9AAA7016", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.9:*:*:*:*:*:*:*", "matchCriteriaId": "2BA979A3-A34F-4813-8489-C1985E22A398", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.9.6:*:*:*:*:*:*:*", "matchCriteriaId": "6A64E85D-B1A7-48FB-8438-8173249ED817", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.9.7:*:*:*:*:*:*:*", "matchCriteriaId": "940151B8-6466-43D7-A7EB-A28F13DA5B50", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.9.7:b:*:*:*:*:*:*", "matchCriteriaId": "0BE84E1D-F765-49E6-84E2-6831A535B67A", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.9.7:d:*:*:*:*:*:*", "matchCriteriaId": "CE85FABD-20F0-4308-B240-0E460E85CA08", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.9.8:*:*:*:*:*:*:*", "matchCriteriaId": "3752BA88-CA7A-4B79-96C4-A5EC9A6C2AC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "B093D7C9-242E-4CC7-9971-71D9AE19A7F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "353AFA23-88C0-45AA-B9EF-EF7A4DC6AFE3", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.11.2:*:*:*:*:*:*:*", "matchCriteriaId": "EA2024C5-238A-4734-B8C6-D4F99EEFBC07", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.11.3:*:*:*:*:*:*:*", "matchCriteriaId": "DF611D89-FA24-4421-A8A8-5290629C81D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.11.3:pre3:*:*:*:*:*:*", "matchCriteriaId": "0ECCFF79-6515-42F8-B986-4C06BE1F79D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensc-project:opensc:0.11.4:*:*:*:*:*:*:*", "matchCriteriaId": "A74B19CB-8AFB-4A07-9A84-063BFF47E089", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN."}, {"lang": "es", "value": "OpenSC anterior a 0.11.5 usa permisos d\u00e9biles (archivo de control de informaci\u00f3n ADMIN de 00) para el directorio 5015 en smart cards y crypto tokens USB ejecut\u00e1ndose Siemens CardOS M4, que permite a atacantes pr\u00f3ximos f\u00edsicamente cambiar el PIN."}], "id": "CVE-2008-2235", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.9, "confidentialityImpact": "NONE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-08-01T14:41:00.000", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/31330"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/31360"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/32099"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/33115"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/34362"}, {"source": "cve@mitre.org", "url": "http://security.gentoo.org/glsa/glsa-200812-09.xml"}, {"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:183"}, {"source": "cve@mitre.org", "url": "http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html"}, {"source": "cve@mitre.org", "url": "http://www.opensc-project.org/security.html"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/30473"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44140"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2008/dsa-1627"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/31330"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/31360"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/32099"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/33115"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/34362"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://security.gentoo.org/glsa/glsa-200812-09.xml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:183"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.opensc-project.org/security.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/30473"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44140"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.debian.org/security/2008/dsa-1627"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "Siemens has analyzed this report and states that no security breach can be found in the Siemens CardOS M4 itself and it thus does not relate to any Siemens component. The reported vulnerability (caused by inappropriate personalization) is due to an issue in the OPENSC middleware detailed information can be found under http://www.opensc-project.org/security.html. \n\nTherefore, Siemens recommends all customers and partners using OPENSC to use either the current version 0.11.5 of OPENSC in which this vulnerability is fixed or to use the bug fix suggested under http://freshmeat.net/articles/view/3333/. \n\nWe hope that we could help you with this recommendation. \n\nIf you have further questions, please contact the Siemens CardOS hotline under:\n\nscs-support.med@siemens.com\n\nPhone: +49 89 636 35996 (Mo.-Fr. 9:00-17:00 German time)\n\n", "lastModified": "2008-08-14T00:00:00", "organization": "Siemens"}], "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "opensc: incorrect initialization of Siemens CardOS M4 smart cards", "id": "457367", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=457367"}, "csaw": false, "details": ["OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN."], "name": "CVE-2008-2235", "public_date": "2008-07-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2008-2235\nhttps://nvd.nist.gov/vuln/detail/CVE-2008-2235"]}