Vulnerabilities > CVE-2023-33221 - Out-of-bounds Write vulnerability in Idemia products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

idemia

CWE-787

critical

NVD

Published: 2023-12-15

Updated: 2023-12-21

Summary

When reading DesFire keys, the function that reads the card isn't properly checking the boundaries when copying internally the data received. This allows a heap based buffer overflow that could lead to a potential Remote Code Execution on the targeted device. This is especially problematic if you use Default DESFire key.

Vulnerable Configurations

Part	Description	Count
OS	Idemia Idemia Sigma Lite Firmware - Idemia Sigma Lite+ Firmware - Idemia Sigma Extreme Firmware - Idemia Sigma Wide Firmware - Idemia Morphowave Compact Firmware * Idemia Morphowave XP Firmware * Idemia Visionpass Firmware * Idemia Morphowave SP Firmware *	8
Hardware	Idemia Idemia Sigma Lite - Idemia Sigma Lite+ - Idemia Sigma Extreme - Idemia Sigma Wide - Idemia Morphowave Compact - Idemia Morphowave XP - Idemia Visionpass - Idemia Morphowave SP -	8

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

References

https://www.idemia.com/wp-content/uploads/2023/11/Security-Advisory-SA-2023-05-2.pdf