CVE-2015-8025 - OpenCVE

driver/subprocs.c in XScreenSaver before 5.34 does not properly perform an internal consistency check, which allows physically proximate attackers to bypass the lock screen by hot swapping monitors.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:L/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Canonical	Ubuntu Linux
Xscreensaver Project	Xscreensaver

Configuration 1 [-]

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*

Configuration 2 [-]

cpe:2.3:a:xscreensaver_project:xscreensaver:5.33:*:*:*:*:*:*:*

References

Link	Resource
http://lists.opensuse.org/opensuse-updates/2015-11/msg00102.html
http://www.debian.org/security/2016/dsa-3438
http://www.openwall.com/lists/oss-security/2015/10/24/2	Exploit
http://www.openwall.com/lists/oss-security/2015/10/25/1
http://www.openwall.com/lists/oss-security/2015/10/29/12
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
http://www.securitytracker.com/id/1034052
http://www.ubuntu.com/usn/USN-2789-1
https://twitter.com/Thaolia/status/656823859304398848
https://www.jwz.org/blog/2015/10/xscreensaver-5-34/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2015-11-10T16:00:00

Updated: 2016-12-05T22:57:01

Reserved: 2015-10-29T00:00:00

Link: CVE-2015-8025

JSON object: View

NVD Information

Status : Modified

Published: 2015-11-10T17:59:11.653

Modified: 2016-12-07T18:25:59.807

Link: CVE-2015-8025

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-10-24T00:00:00", "descriptions": [{"lang": "en", "value": "driver/subprocs.c in XScreenSaver before 5.34 does not properly perform an internal consistency check, which allows physically proximate attackers to bypass the lock screen by hot swapping monitors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-05T22:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jwz.org/blog/2015/10/xscreensaver-5-34/"}, {"name": "1034052", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1034052"}, {"name": "openSUSE-SU-2015:2032", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00102.html"}, {"name": "DSA-3438", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3438"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"}, {"name": "[oss-security] 20151024 CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/10/24/2"}, {"name": "[oss-security] 20151025 Re: CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/10/25/1"}, {"name": "[oss-security] 20151029 Re: CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/10/29/12"}, {"tags": ["x_refsource_MISC"], "url": "https://twitter.com/Thaolia/status/656823859304398848"}, {"name": "USN-2789-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2789-1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-8025", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "driver/subprocs.c in XScreenSaver before 5.34 does not properly perform an internal consistency check, which allows physically proximate attackers to bypass the lock screen by hot swapping monitors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.jwz.org/blog/2015/10/xscreensaver-5-34/", "refsource": "CONFIRM", "url": "https://www.jwz.org/blog/2015/10/xscreensaver-5-34/"}, {"name": "1034052", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1034052"}, {"name": "openSUSE-SU-2015:2032", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00102.html"}, {"name": "DSA-3438", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3438"}, {"name": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"}, {"name": "[oss-security] 20151024 CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/10/24/2"}, {"name": "[oss-security] 20151025 Re: CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/10/25/1"}, {"name": "[oss-security] 20151029 Re: CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/10/29/12"}, {"name": "https://twitter.com/Thaolia/status/656823859304398848", "refsource": "MISC", "url": "https://twitter.com/Thaolia/status/656823859304398848"}, {"name": "USN-2789-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2789-1"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-8025", "datePublished": "2015-11-10T16:00:00", "dateReserved": "2015-10-29T00:00:00", "dateUpdated": "2016-12-05T22:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xscreensaver_project:xscreensaver:5.33:*:*:*:*:*:*:*", "matchCriteriaId": "1E905914-5F5A-44E7-BE79-8175DBC53EEE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "driver/subprocs.c in XScreenSaver before 5.34 does not properly perform an internal consistency check, which allows physically proximate attackers to bypass the lock screen by hot swapping monitors."}, {"lang": "es", "value": "driver/subprocs.c en XScreenSaver en versiones anteriores a 5.34 no lleva a cabo correctamente una comprobaci\u00f3n de consistencia interna, lo que permite a atacantes f\u00edsicamente pr\u00f3ximos eludir la pantalla de bloqueo cambiando los monitores sin apagar el dispositivo."}], "id": "CVE-2015-8025", "lastModified": "2016-12-07T18:25:59.807", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-11-10T17:59:11.653", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00102.html"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2016/dsa-3438"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.openwall.com/lists/oss-security/2015/10/24/2"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/10/25/1"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/10/29/12"}, {"source": "cve@mitre.org", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1034052"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-2789-1"}, {"source": "cve@mitre.org", "url": "https://twitter.com/Thaolia/status/656823859304398848"}, {"source": "cve@mitre.org", "url": "https://www.jwz.org/blog/2015/10/xscreensaver-5-34/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}