Date: Thu, 18 Apr 2013 06:45:32 -0400 (EDT) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org>, neoice@...ice.net, Alexander Wirt <formorer@...ian.org> Subject: CVE-2012-XXYY Request -- google-authenticator: Information disclosure due insecure requirement on the secrets file Hello Kurt, Steve, Alexander, vendors, as noted in : An information disclosure file was found in the way google-authenticator, a pluggable authentication module (PAM) which allows login using one-time passcodes conforming to the open standards developed by the Initiative for Open Authentication (OATH), performed management of its secret / state file in certain configurations. Due the lack of 'user=' option the secret file was previously required to be user-readable, allowing (in certain cases) a local attacker to obtain the (pre)shared client-to-authentication-server secret, possibly leading to victim's account impersonation. A different vulnerability than CVE-2013-0258. References:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#20  https://bugzilla.redhat.com/show_bug.cgi?id=953505 Relevant upstream patch:  https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8 @Alexander - since I am not sure I have described the attack vector above properly, please correct me if / where required. @Kurt * the CVE-2012- identifier should be allocated to this issue, since the security implications of this problem are for the first time mentioned here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10 (2012-09-22), * from what I have looked, there doesn't seem to be: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=authenticator a CVE identifier allocated to this issue yet (as noted above CVE-2013-0258 from that list is different issue). => could you allocate one? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.