Information disclosure in Linux kernel

Published: 2013-02-18 | Updated: 2020-08-11

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2013-0160
CWE-ID	CWE-200
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	Linux kernel Operating systems & Components / Operating system
Vendor	Linux Foundation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU43086

Risk: Low

CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2013-0160

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 3.0 - 3.7.9

CPE2.3

External links

https://lists.opensuse.org/opensuse-security-announce/2013-03/msg00004.html
https://lists.opensuse.org/opensuse-security-announce/2013-04/msg00018.html
https://lists.opensuse.org/opensuse-security-announce/2013-06/msg00005.html
https://lists.opensuse.org/opensuse-security-announce/2013-07/msg00016.html
https://lists.opensuse.org/opensuse-security-announce/2013-07/msg00018.html
https://www.openwall.com/lists/oss-security/2013/01/08/3
https://www.ubuntu.com/usn/USN-2128-1
https://www.ubuntu.com/usn/USN-2129-1
https://bugzilla.redhat.com/show_bug.cgi?id=892983

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.