[Users] [oss-security] CVE-2012-XXYY Request -- google-authenticator: Information disclosure due insecure requirement on the secrets file

Michael Pasternak mpastern at redhat.com
Thu Apr 18 11:57:46 UTC 2013 

FYI

On 04/18/2013 01:45 PM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, Alexander, vendors,
> 
>   as noted in [1]:
> 
> An information disclosure file was found in the way google-authenticator,
> a pluggable authentication module (PAM) which allows login using one-time
> passcodes conforming to the open standards developed by the Initiative for
> Open Authentication (OATH), performed management of its secret / state file
> in certain configurations. Due the lack of 'user=' option the secret file
> was previously required to be user-readable, allowing (in certain cases)
> a local attacker to obtain the (pre)shared client-to-authentication-server
> secret, possibly leading to victim's account impersonation.
> 
> A different vulnerability than CVE-2013-0258.
> 
> References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10
> [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#20
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=953505
> 
> Relevant upstream patch:
> [5] https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8
> 
> @Alexander - since I am not sure I have described the attack vector above
>              properly, please correct me if / where required.
> 
> @Kurt * the CVE-2012- identifier should be allocated to this issue, since
>         the security implications of this problem are for the first time
>         mentioned here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10 (2012-09-22),
> 
>       * from what I have looked, there doesn't seem to be:
>           http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=authenticator
> 
>         a CVE identifier allocated to this issue yet (as noted above
>         CVE-2013-0258 from that list is different issue).
> 
>         => could you allocate one?
> 
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team


-- 

Michael Pasternak
RedHat, ENG-Virtualization R&D

More information about the Users mailing list