Lucene search

Gentoo FoundationGLSA-201402-12

HistoryFeb 09, 2014 - 12:00 a.m.

PAM S/Key: Information disclosure

2014-02-0900:00:00

Gentoo Foundation

security.gentoo.org

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

AI Score

6.6

Confidence

Low

EPSS

Percentile

5.1%

JSON

Background

PAM S/Key is a pluggable authentication module for the OpenBSD Single-key Password system.

Description

Ulrich Müller reported that a Gentoo patch to PAM S/Key does not remove credentials provided by the user from memory.

Impact

A local attacker with privileged access could inspect a memory dump to gain access to cleartext credentials provided by users.

Workaround

There is no known workaround at this time.

Resolution

All PAM S/Key users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=sys-auth/pam_skey-1.1.5-r5"

OSVersionArchitecturePackageVersionFilename
Gentooanyallsys-auth/pam_skey< 1.1.5-r5UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	sys-auth/pam_skey	< 1.1.5-r5	UNKNOWN

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

AI Score

6.6

Confidence

Low

EPSS

Percentile

5.1%

JSON

Related for GLSA-201402-12