CVE-2013-7252
First published: Fri Jan 03 2014(Updated: )
It was found that kwallet, a tool for managing the passwords on a KDE system, uses Blowfish to encrypt its password store, and despite an attempt at implementing CBC mode (in a file called cbc.cc no less), it's actually ECB mode. UTF-16 encoding combined with Blowfish's 64 bit block size means there are just four password characters per block. Encryption is convergent as well. The risk is that this may enable recovery of passwords through codebook attacks. References: <a href="http://seclists.org/oss-sec/2014/q1/2">http://seclists.org/oss-sec/2014/q1/2</a> <a href="http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/">http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| KDE Applications | <=14.11.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://seclists.org/oss-sec/2014/q1/2
- http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1048169
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1048168#c3
- http://www.rusu.info/wp/?p=248
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1180502
- https://access.redhat.com/security/cve/cve-2013-7252
- https://bugzilla.redhat.com/show_bug.cgi?id=1048168
- http://www.openwall.com/lists/oss-security/2014/01/02/3
- http://www.openwall.com/lists/oss-security/2015/01/09/7
- http://www.securityfocus.com/bid/67716
- https://security.gentoo.org/glsa/201606-19
- https://www.kde.org/info/security/advisory-20150109-1.txt
Frequently Asked Questions
What is the severity of CVE-2013-7252?
CVE-2013-7252 is considered a medium severity vulnerability due to its potential impact on confidentiality.
How do I fix CVE-2013-7252?
To mitigate CVE-2013-7252, update to a version of KDE Applications beyond 14.11.3 where the issue has been addressed.
What systems are affected by CVE-2013-7252?
CVE-2013-7252 affects KDE Applications versions up to and including 14.11.3.
What type of encryption is compromised in CVE-2013-7252?
CVE-2013-7252 is compromised due to the misuse of ECB mode in the encryption process instead of the intended CBC mode.
What is the main risk associated with CVE-2013-7252?
The main risk associated with CVE-2013-7252 is that it may allow unauthorized users to infer sensitive information from the encrypted password store.
- collector/redhat-bugzilla
- alias/CVE-2013-7252
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/event
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/remedy
- agent/tags
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/kde
- canonical/kde applications
- version/kde applications/14.11.3