Sigma Lite Firmware
CVE-2023-33221
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
When reading DesFire keys, the function that reads the card isn't properly checking the boundaries when copying internally the data received. This allows a heap based buffer overflow that could lead to a potential Remote Code Execution on the targeted device. This is especially problematic if you use Default DESFire key.
AnalysisAI
When reading DesFire keys, the function that reads the card isn't properly checking the boundaries when copying internally the data received. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-122. When reading DesFire keys, the function that reads the card isn't properly checking the boundaries when copying internally the data received. This allows a heap based buffer overflow that could lead to a potential Remote Code Execution on the targeted device. This is especially problematic if you use Default DESFire key. Affected products include: Idemia Sigma Lite Firmware, Idemia Sigma Lite\+ Firmware, Idemia Sigma Extreme Firmware, Idemia Sigma Wide Firmware, Idemia Morphowave Compact Firmware.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Sigma Lite Firmware
View allWhen handling contactless cards, usage of a specific function to get additional information from the card which doesn't
During the retrofit validation process, the firmware doesn't properly check the boundaries while copying some attributes
The handler of the retrofit validation command doesn't properly check the boundaries when performing certain validation
The Parameter Zone Read and Parameter Zone Write command handlers allow performing a Stack buffer overflow. Rated critic
A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and VisionPass devices before 2.6.2, Sigma de
By abusing a design flaw in the firmware upgrade mechanism of the impacted terminal it's possible to cause a permanent d
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today