Opened 3 years ago

Closed 3 years ago

#11685 closed enhancement (fixed)

Generate a security patch for GDM Authentication Bypasses

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 8.4
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

Another private report from an Arch Linux developer who prefers to remain anonymous.

There are two authentication bypass vulnerabilities in GDM that were discovered last week. This ticket is being defined to track them.

Vulnerability 1: https://bugzilla.redhat.com/show_bug.cgi?id=1672825 https://gitlab.gnome.org/GNOME/gdm/issues/460 https://gitlab.gnome.org/GNOME/gdm/merge_requests/58

In some cases with timed login enabled, GDM will unlock a session for a different user than typed their password

Burghard Britzke reported to security@gnome.org that he has found a bug in GDM's timed login implementation.

Under the right circumstances, after the timed login timeout expires, a running session may get misassociated with the timed login user instead of the user that started the session. Further attempts to log in as the timed login user will instead unlock the misassociated user session.

This only affects X.org since, we kill the login screen on wayland after login.

Steps to reproduce:

    create two users bubi(1000) and user gast(1001)
    edit the [daemon] section of /etc/gdm/custom.conf to enable timed login for the gast user

[daemon]
TimedLoginEnable=true
TimedLogin=gast
TimedLoginDelay=10

    restart
    login as user bubi(1000)
    lock the screen
    select Login as different user below the password field
    select gast from the user list and enter the password for the gast user
    notice that the bubi user is unlocked instead of the gast user

Vulnerability 2:

Partial screen lock bypass via keybindings?

I noticed that on a locked Gnome screen, when you right-click on the password text field, certain keyboard shortcuts are re-enabled.

Example1: right-click, the small menu (copy/paste/...) appears, then press Super+F10. You can now see the front window menu, and eg you can close the window, or change its parameters, etc.

Example2: right-click, press Alt+Screenshot, and a screenshot of the window is taken and saved in the user's Pictures/ directory. It means that someone can fill the disk with images.

Example3: press Alt+Super+S, and sometimes, Orca starts spelling you the content of the window (which is supposed to be secret since the screen is locked). It does not always do, not sure why. Note also that by then enabling the virtual keyboard (by clicking on it in the accessibility button that appeared on the upper-right corner of the screen), you can then open (in the session, but not in gdm) the accessibility menu.

All of that doesn't look really intentional to me.

https://gitlab.gnome.org/GNOME/gnome-shell/issues/851

These vulnerabilities have been assigned IDs CVE-2019-3820 and CVE-2019-3825 by Red Hat Product Security.

Change History (4)

comment:1 by Douglas R. Reno, 3 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 3 years ago

CVE-2019-3820 has had a patch submitted at r3888 (it affects gnome-shell).

comment:3 by Douglas R. Reno, 3 years ago

CVE-2019-3825 has had a patch submitted at r3889 (now GDM).

comment:4 by Douglas R. Reno, 3 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r21221

Note: See TracTickets for help on using tickets.