Vulnerability patch sysmoEUICC1 product #199

Closed
opened 2025-07-13 11:30:35 +02:00 by maximushugus · 4 comments

Hello,

Sysmocom recently discovered a vulnerability on e-sim sysmoEUICC1 products : sysmoEUICC1-C2G, sysmoEUICC1-CMG, and sysmoEUICC1-C2T.

Here is the communication from sysmocom :

Dear customer,
we regretfully have to inform you that recent research has uncovered a security vulnerability in the Card Operating System sysmocom licensed from Kigen for use in the symsoEUICC1 products, and defensive mitigation measures by applying the attached patch are strongly recommended.
We are reaching out as you have previously purchased this product from us in order[s] XXXX/XXXXXXX.
Please make sure this e-mail with all of its attachments is forwarded to the person technically responsible for the use of the affected product in your organization.
Thanks for your kind attention.

I attached the PDF sysmoEUICC1 security bulletin below.

There is a patch for thoses e-SIM card given by sysmocom itself, dicribed in the PDF :

Kigen has provided a patch for the existing sysmoEUICC1. The patch consists of a very short sequence of APDUs that need to be sent to the EUICC. This can be done e.g. by inserting the sysmoEUICC1 in a smart card reader attached to a computer and executing a pySim-shell to perform the patching of the card.
For sysmoEUICC1-C2G/C2M deployed in remote devices in the field, it is recommended to apply
the patch from the operating system that controls the cellular modem in the device. All that is
neede is e.g. a few AT commands (AT+CSIM) to issue the patch APDUs towards the eUICC.

Below is the script given by sysmocom : sysmoEUICC1-patch-202507.txt

Would it be possible to integrate a way to apply this patch in OpenEUICC ?

Thanks

Hello, Sysmocom recently discovered a vulnerability on e-sim sysmoEUICC1 products : sysmoEUICC1-C2G, sysmoEUICC1-CMG, and sysmoEUICC1-C2T. Here is the communication from sysmocom : > Dear customer, we regretfully have to inform you that recent research has uncovered a security vulnerability in the Card Operating System sysmocom licensed from Kigen for use in the symsoEUICC1 products, and defensive mitigation measures by applying the attached patch are strongly recommended. We are reaching out as you have previously purchased this product from us in order[s] XXXX/XXXXXXX. Please make sure this e-mail with all of its attachments is forwarded to the person technically responsible for the use of the affected product in your organization. Thanks for your kind attention. I attached the PDF sysmoEUICC1 security bulletin below. There is a patch for thoses e-SIM card given by sysmocom itself, dicribed in the PDF : > Kigen has provided a patch for the existing sysmoEUICC1. The patch consists of a very short sequence of APDUs that need to be sent to the EUICC. This can be done e.g. by inserting the sysmoEUICC1 in a smart card reader attached to a computer and executing a pySim-shell to perform the patching of the card. For sysmoEUICC1-C2G/C2M deployed in remote devices in the field, it is recommended to apply the patch from the operating system that controls the cellular modem in the device. All that is neede is e.g. a few AT commands (AT+CSIM) to issue the patch APDUs towards the eUICC. Below is the script given by sysmocom : sysmoEUICC1-patch-202507.txt Would it be possible to integrate a way to apply this patch in OpenEUICC ? Thanks
Contributor

This problem should not be resolve by OpenEUICC

This problem should not be resolve by OpenEUICC
Contributor

@laf0rge this patch can public?

@laf0rge this patch can public?
Owner

This is not an OpenEUICC concern.

This is not an OpenEUICC concern.
Author

@septs I agree this is not an OpenEUICC problem but is there a way to apply such a patch with OpenEUICC ?

@septs I agree this is not an OpenEUICC problem but is there a way to apply such a patch with OpenEUICC ?
Sign in to join this conversation.
No labels
No milestone
No project
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: PeterCxy/OpenEUICC#199
No description provided.