CVE-2013-7252
First published: Fri Jan 03 2014(Updated: )
It was found that kwallet, a tool for managing the passwords on a KDE system, uses Blowfish to encrypt its password store, and despite an attempt at implementing CBC mode (in a file called cbc.cc no less), it's actually ECB mode. UTF-16 encoding combined with Blowfish's 64 bit block size means there are just four password characters per block. Encryption is convergent as well. The risk is that this may enable recovery of passwords through codebook attacks. References: <a href="http://seclists.org/oss-sec/2014/q1/2">http://seclists.org/oss-sec/2014/q1/2</a> <a href="http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/">http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Kde Kde Applications | <=14.11.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://seclists.org/oss-sec/2014/q1/2
- http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1048169
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1048168#c3
- http://www.rusu.info/wp/?p=248
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1180502
- https://access.redhat.com/security/cve/cve-2013-7252
- https://bugzilla.redhat.com/show_bug.cgi?id=1048168
- http://www.openwall.com/lists/oss-security/2014/01/02/3
- http://www.openwall.com/lists/oss-security/2015/01/09/7
- http://www.securityfocus.com/bid/67716
- https://security.gentoo.org/glsa/201606-19
- https://www.kde.org/info/security/advisory-20150109-1.txt
- collector/redhat-bugzilla
- alias/CVE-2013-7252
- collector/nvd-index
- vendor/kde
- canonical/kde kde applications
- version/kde kde applications/14.11.3