CVE-2013-7252

kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/	Exploit
https://bugzilla.redhat.com/show_bug.cgi?id=1048168	Issue Tracking
http://www.securityfocus.com/bid/67716	Third Party Advisory
http://www.openwall.com/lists/oss-security/2015/01/09/7
http://www.openwall.com/lists/oss-security/2014/01/02/3
https://www.kde.org/info/security/advisory-20150109-1.txt	Patch Vendor Advisory
https://security.gentoo.org/glsa/201606-19	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:kde:kde_applications:*:*:*:*:*:*:*:*

Information

Published : 2015-01-18 10:59

Updated : 2016-08-02 06:58

NVD link : CVE-2013-7252

Mitre link : CVE-2013-7252

JSON object : View

CWE

CWE-310

Cryptographic Issues

Products Affected

kde

kde_applications

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/", "name": "http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1048168", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1048168", "tags": ["Issue Tracking"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/67716", "name": "67716", "tags": ["Third Party Advisory"], "refsource": "BID"}, {"url": "http://www.openwall.com/lists/oss-security/2015/01/09/7", "name": "[oss-security] 20150109 Re: CVE Request: kwallet: incorrect CBC encryption handling", "tags": [], "refsource": "MLIST"}, {"url": "http://www.openwall.com/lists/oss-security/2014/01/02/3", "name": "[oss-security] 20140102 kwallet crypto misuse", "tags": [], "refsource": "MLIST"}, {"url": "https://www.kde.org/info/security/advisory-20150109-1.txt", "name": "https://www.kde.org/info/security/advisory-20150109-1.txt", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://security.gentoo.org/glsa/201606-19", "name": "GLSA-201606-19", "tags": ["Third Party Advisory"], "refsource": "GENTOO"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-310"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-7252", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2015-01-18T18:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:kde:kde_applications:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "14.11.3"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2016-08-02T13:58Z"}

5.0 /10