google-authenticator Information disclosure

2013-04-18 / 2013-04-19
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-200

CVSS Base Score: 1.9/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

An information disclosure file was found in the way google-authenticator, a pluggable authentication module (PAM) which allows login using one-time passcodes conforming to the open standards developed by the Initiative for Open Authentication (OATH), performed management of its secret / state file in certain configurations. Due the lack of 'user=' option the secret file was previously required to be user-readable, allowing (in certain cases) a local attacker to obtain the (pre)shared client-to-authentication-server secret, possibly leading to victim's account impersonation. A different vulnerability than CVE-2013-0258. References: [1] [2] [3] [4] Relevant upstream patch: [5] @Alexander - since I am not sure I have described the attack vector above properly, please correct me if / where required. @Kurt * the CVE-2012- identifier should be allocated to this issue, since the security implications of this problem are for the first time mentioned here: (2012-09-22), * from what I have looked, there doesn't seem to be: a CVE identifier allocated to this issue yet (as noted above CVE-2013-0258 from that list is different issue). => could you allocate one? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top