Vulnerability CVE-2012-6140


Published: 2013-04-24   Modified: 2013-05-07

Description:
pam_google_authenticator.c in the PAM module in Google Authenticator before 1.0 requires user-readable permissions for the secret file, which allows local users to bypass intended access restrictions and discover a shared secret via standard filesystem operations, a different vulnerability than CVE-2013-0258.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
google-authenticator Information disclosure
Jan iankko Liesk...
18.04.2013

Type:

CWE-200

(Information Exposure)

Vendor: Google
Product: Google authenticator 
Version:
0.91
0.87
0.86
Product: Authenticator 
Version:
0.91
0.87
0.86

CVSS2 => (AV:L/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
1.9/10
2.9/10
3.4/10
Exploit range
Attack complexity
Authentication
Local
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8
https://bugzilla.redhat.com/show_bug.cgi?id=953505
http://openwall.com/lists/oss-security/2013/04/18/10
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129

Related CVE
CVE-2017-8243
A buffer overflow can occur in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android when processing a firmware image file.
CVE-2017-6421
In the touch controller function in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, a variable may be controlled by the user and can lead to a buffer overflow.
CVE-2016-5867
In a sound driver in Android for MSM, Firefox OS for MSM, QRD Android, some variables are from userspace and values can be chosen that could result in stack overflow.
CVE-2016-5862
When a control related to codec is issued from userspace in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, the type casting is done to the container structure instead of the codec's individual structure, resulting in ...
CVE-2016-5863
In an ioctl handler in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, several sanity checks are missing which can lead to out-of-bounds accesses.
CVE-2016-5864
In an audio driver function in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, some parameters are from userspace, and if they are set to a large value, integer overflow is possible followed by buffer overflow. In anot...
CVE-2016-5858
In an ioctl handler in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, if a user supplies a value too large, then an out-of-bounds read occurs.
CVE-2016-5859
In a sound driver in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, if a function is called with a very large length, an integer overflow could occur followed by a buffer overflow.

Copyright 2017, cxsecurity.com