First published: Thu Apr 18 2013(Updated: )
An information disclosure file was found in the way google-authenticator, a pluggable authentication module (PAM) which allows login using one-time passcodes conforming to the open standards developed by the Initiative for Open Authentication (OATH), performed management of its secret / state file in certain configurations. Due the lack of 'user=' option the secret file was previously required to be user-readable, allowing (in certain cases) a local attacker to obtain the (pre)shared client-to-authentication-server secret, possibly leading to victim's account impersonation. A different vulnerability than <a href="https://access.redhat.com/security/cve/CVE-2013-0258">CVE-2013-0258</a>. References: [1] <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129</a> [2] <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10</a> [3] <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#20">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#20</a> Relevant upstream patch: [4] <a href="https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8">https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8</a>
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Google Authenticator | <=0.91 | |
Google Authenticator | =0.86 | |
Google Authenticator | =0.87 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.