CVE-2013-4143

The (1) checkPasswd and (2) checkGroupXlockPasswds functions in xlockmore before 5.43 do not properly handle when a NULL value is returned upon an error by the crypt or dispcrypt function as implemented in glibc 2.17 and later, which allows attackers to bypass the screen lock via vectors related to invalid salts.

CVSS v2.0 2.1 LOW

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://www.tux.org/~bagleyd/xlock/xlockmore.README	Vendor Advisory
http://openwall.com/lists/oss-security/2013/07/16/8
http://openwall.com/lists/oss-security/2013/07/18/6

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:david_bagley:xlockmore::::::::
	cpe:2.3:a:david_bagley:xlockmore:5.35:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.33:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.26:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.24:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.31:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.30:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.29:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.28:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.40:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.39:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.34:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.27:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.36:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.37:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.41:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.38:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.32:::::::*
	cpe:2.3:a:david_bagley:xlockmore:5.25:::::::*

Information

Published : 2014-05-30 07:55

Updated : 2014-06-26 08:46

NVD link : CVE-2013-4143

Mitre link : CVE-2013-4143

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

david_bagley

xlockmore

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.tux.org/~bagleyd/xlock/xlockmore.README", "name": "http://www.tux.org/~bagleyd/xlock/xlockmore.README", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://openwall.com/lists/oss-security/2013/07/16/8", "name": "[oss-security] 20130716 CVE Request - xlockmore 5.43 fixes a security flaw", "tags": [], "refsource": "MLIST"}, {"url": "http://openwall.com/lists/oss-security/2013/07/18/6", "name": "[oss-security] 20130718 Re: CVE Request - xlockmore 5.43 fixes a security flaw", "tags": [], "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The (1) checkPasswd and (2) checkGroupXlockPasswds functions in xlockmore before 5.43 do not properly handle when a NULL value is returned upon an error by the crypt or dispcrypt function as implemented in glibc 2.17 and later, which allows attackers to bypass the screen lock via vectors related to invalid salts."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-4143", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2014-05-30T14:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "5.42"}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.35:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.33:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.26:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.24:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.31:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.30:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.29:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.28:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.40:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.39:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.34:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.27:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.36:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.37:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.41:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.38:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.32:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:david_bagley:xlockmore:5.25:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2014-06-26T15:46Z"}