Hello Kurt, Steve, Alexander, vendors,
as noted in [1]:
An information disclosure file was found in the way google-authenticator,
a pluggable authentication module (PAM) which allows login using one-time
passcodes conforming to the open standards developed by the Initiative for
Open Authentication (OATH), performed management of its secret / state file
in certain configurations. Due the lack of 'user=' option the secret file
was previously required to be user-readable, allowing (in certain cases)
a local attacker to obtain the (pre)shared client-to-authentication-server
secret, possibly leading to victim's account impersonation.
A different vulnerability than CVE-2013-0258.
References:
[1]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129
[2]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10
[3]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#20
[4]
https://bugzilla.redhat.com/show_bug.cgi?id=953505
Relevant upstream patch:
[5]
https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857...
@Alexander - since I am not sure I have described the attack vector above
properly, please correct me if / where required.
@Kurt * the CVE-2012- identifier should be allocated to this issue, since
the security implications of this problem are for the first time
mentioned here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10
(2012-09-22),
* from what I have looked, there doesn't seem to be:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=authenticator
a CVE identifier allocated to this issue yet (as noted above
CVE-2013-0258 from that list is different issue).
=> could you allocate one?
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team