eCryptfs Utils ecryptfs-setup-private information disclosure
| ecryptfsutils-setupprivate-info-disclosure (46073) |  Low Risk |
Description:
eCryptfs Utils could allow a local attacker to obtain sensitive information, caused by an error in the ecryptfs-setup-private, ecryptfs-setup-confidential and the ecryptfs-setup-pam-wrapped.sh script that passes cleartext passwords to the ecryptfs-wrap-passphrase and ecryptfs-add-passphrase programs. A local attacker could exploit this vulnerability using the process list to obtain the password and other sensitive information.
*CVSS:
| Base Score: | 2.1 |
| Access Vector: | Local |
| Access Complexity: | Low |
| Authentication: | None |
| Confidentiality Impact: | Partial |
| Integrity Impact: | None |
| Availability Impact: | None |
| Temporal Score: | 1.6 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Obtain Information
Remedy:
Refer to the Linux Kernel GIT Repository for patch, upgrade or suggested workaround information. See References.
References:
- eCryptfs Web page: eCryptfs.
- Linux Kernel GIT Repository: Fix ecryptfs-add-passphrase and ecryptfs-wrap-passphrase.
- Linux Kernel GIT Repository: The bash/dash builtin "echo" apparently does not.
- oss-security Mailing List, Thu, 23 Oct 2008 16:16:28 -0500: CVE request for ecryptfs .
- CVE-2008-5188: The (1) ecryptfs-setup-private, (2) ecryptfs-setup-confidential, and (3) ecryptfs-setup-pam-wrapped.sh scripts in ecryptfs-utils 45 through 61 in eCryptfs place cleartext passwords on command lines, which allows local users to obtain sensitive information by listing the process.
- RHSA-2009-1307: Low: ecryptfs-utils security, bug fix, and enhancement update
- SA32382: eCryptfs Utils "ecryptfs-setup-private" Password Disclosure Security Issue
Platforms Affected:
- Ecryptfs Ecryptfs Utils 45
- Ecryptfs Ecryptfs Utils 46
- Ecryptfs Ecryptfs Utils 47
- Ecryptfs Ecryptfs Utils 48
- Ecryptfs Ecryptfs Utils 49
- Ecryptfs Ecryptfs Utils 50
- Ecryptfs Ecryptfs Utils 51
- Ecryptfs Ecryptfs Utils 53
- Ecryptfs Ecryptfs Utils 54
- Ecryptfs Ecryptfs Utils 55
- Ecryptfs Ecryptfs Utils 56
- Ecryptfs Ecryptfs Utils 57
- Ecryptfs Ecryptfs Utils 58
- Ecryptfs Ecryptfs Utils 59
- Ecryptfs Ecryptfs Utils 60
- Ecryptfs Ecryptfs Utils 61
- RedHat Enterprise Linux 5 Client Workstation
- RedHat Enterprise Linux 5 Client
- RedHat Enterprise Linux 5
Reported:
Oct 23, 2008
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.