Credentials management in IBus and Opensuse - CVE-2013-4509
Published: November 23, 2013 / Updated: August 10, 2020
Vulnerability identifier: #VU42315
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2013-4509
CWE-ID: CWE-255
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: IBus Project
SUSE
SUSE
Affected software:
IBus
Opensuse
IBus
Opensuse
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The default configuration of IBUS 1.5.4, and possibly 1.5.2 and earlier, when IBus.InputPurpose.PASSWORD is not set and used with GNOME 3, does not obscure the entered password characters, which allows physically proximate attackers to obtain a user password by reading the lockscreen.
How to mitigate CVE-2013-4509
Install update from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-updates/2013-11/msg00036.html
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00024.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00045.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1027028
- https://code.google.com/p/mozc/issues/attachmentText?id=199&aid=1990002000&name=ibus-mozc_support_ibus-1.5.4_rev2.diff&token=P62umpXGXx68XJT6zyvBA727wqE%3A1383693105690
- https://github.com/ibus/ibus-anthy/commit/6aae0a9f145f536515e268dd6b25aa740a5edfe7
- https://groups.google.com/forum/#!topic/ibus-user/mvCHDO1BJUw