GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Sun Feb 09, 2014 11:26 am Post subject: [ GLSA 201402-12 ] PAM S/Key: Information disclosure |
|
|
Gentoo Linux Security Advisory
Title: PAM S/Key: Information disclosure (GLSA 201402-12)
Severity: normal
Exploitable: local
Date: February 09, 2014
Bug(s): #482588
ID: 201402-12
Synopsis
PAM S/Key does not clear provided credentials from memory, allowing
local attackers to gain access to cleartext credentials.
Background
PAM S/Key is a pluggable authentication module for the OpenBSD
Single-key Password system.
Affected Packages
Package: sys-auth/pam_skey
Vulnerable: < 1.1.5-r5
Unaffected: >= 1.1.5-r5
Architectures: All supported architectures
Description
Ulrich Müller reported that a Gentoo patch to PAM S/Key does not remove
credentials provided by the user from memory.
Impact
A local attacker with privileged access could inspect a memory dump to
gain access to cleartext credentials provided by users.
Workaround
There is no known workaround at this time.
Resolution
All PAM S/Key users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/pam_skey-1.1.5-r5"
|
References
CVE-2013-4285 |
|