CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
17.9%
The Linux kernel through 3.7.9 allows local users to obtain sensitive
information about keystroke timing by using the inotify API on the
/dev/ptmx device.
Author | Note |
---|---|
apw | the spender sidechannel patch above may not be generally applicable but I include it for completeness. |
henrix | commit b0de59b5733d18b0d1974a060860a8b5c1b36a2e is not sufficient to fix the CVE because an application doesnβt have to read atime/mtime (as is the case for the PoC). The 2 additional commits fix a regression and mark the shared ptmx node as un-notifiable (which will cause additional problems to backport them to Lucid, as it doesnβt have this feature) |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 10.04 | noarch | linux | <Β 2.6.32-57.119 | UNKNOWN |
ubuntu | 12.04 | noarch | linux | <Β 3.2.0-48.74 | UNKNOWN |
ubuntu | 12.10 | noarch | linux | <Β 3.5.0-34.55 | UNKNOWN |
ubuntu | 12.04 | noarch | linux-armadaxp | <Β 3.2.0-1621.32 | UNKNOWN |
ubuntu | 12.10 | noarch | linux-armadaxp | <Β 3.5.0-1616.24 | UNKNOWN |
ubuntu | 10.04 | noarch | linux-ec2 | <Β 2.6.32-362.75 | UNKNOWN |
ubuntu | 12.04 | noarch | linux-lts-quantal | <Β 3.5.0-34.55~precise1 | UNKNOWN |
ubuntu | 12.04 | noarch | linux-lts-raring | <Β 3.8.0-25.37~precise1 | UNKNOWN |
ubuntu | 12.04 | noarch | linux-ti-omap4 | <Β 3.2.0-1433.44 | UNKNOWN |
ubuntu | 12.10 | noarch | linux-ti-omap4 | <Β 3.5.0-226.39 | UNKNOWN |
grsecurity.net/~spender/sidechannel.diff
vladz.devzero.fr/013_ptmx-timing.php
www.openwall.com/lists/oss-security/2013/01/07
launchpad.net/bugs/cve/CVE-2013-0160
nvd.nist.gov/vuln/detail/CVE-2013-0160
security-tracker.debian.org/tracker/CVE-2013-0160
ubuntu.com/security/notices/USN-1878-1
ubuntu.com/security/notices/USN-1879-1
ubuntu.com/security/notices/USN-1880-1
ubuntu.com/security/notices/USN-1881-1
ubuntu.com/security/notices/USN-1882-1
ubuntu.com/security/notices/USN-1883-1
ubuntu.com/security/notices/USN-1916-1
ubuntu.com/security/notices/USN-2128-1
ubuntu.com/security/notices/USN-2129-1
www.cve.org/CVERecord?id=CVE-2013-0160