Vulnerability CVE-2012-6140


Published: 2013-04-24   Modified: 2013-05-07

Description:
pam_google_authenticator.c in the PAM module in Google Authenticator before 1.0 requires user-readable permissions for the secret file, which allows local users to bypass intended access restrictions and discover a shared secret via standard filesystem operations, a different vulnerability than CVE-2013-0258.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
google-authenticator Information disclosure
Jan iankko Liesk...
18.04.2013

Type:

CWE-200

(Information Exposure)

Vendor: Google
Product: Google authenticator 
Version:
0.91
0.87
0.86
Product: Authenticator 
Version:
0.91
0.87
0.86

CVSS2 => (AV:L/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
1.9/10
2.9/10
3.4/10
Exploit range
Attack complexity
Authentication
Local
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8
https://bugzilla.redhat.com/show_bug.cgi?id=953505
http://openwall.com/lists/oss-security/2013/04/18/10
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129

Related CVE
CVE-2017-9714
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, an out of bound memory access may happen in limCheckRxRSNIeMatch in case incorrect RSNIE is received from the client in assoc request.
CVE-2017-9715
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing a vendor command, a buffer over-read can occur.
CVE-2017-9687
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, two concurrent threads/processes can write the value of "0" to the debugfs file that controls ipa ipc log which will lead to the double-fr...
CVE-2017-9697
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a race condition can allow access to already freed memory while reading command registration table entries in diag_dbgfs_read_table.
CVE-2017-9706
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, an array out-of-bounds access can potentially occur in a display driver.
CVE-2017-9683
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while flashing a meta image, an integer overflow can occur, if user-defined image offset and size values are too large.
CVE-2017-9686
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a possible double free/use after free in the SPS driver when debugfs logging is used.
CVE-2017-11067
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, the Athdiag procfs entry does not have a proper address sanity check which may potentially lead to the use of an out-of-range pointer offs...

Copyright 2017, cxsecurity.com

 

Back to Top