55559 – (CVE-2003-0461) VUL-0: CVE-2003-0461: kernel: side-channel attack through /proc/tty/driver/serial

Bug 55559 (CVE-2003-0461) - VUL-0: CVE-2003-0461: kernel: side-channel attack through /proc/tty/driver/serial

Summary: VUL-0: CVE-2003-0461: kernel: side-channel attack through /proc/tty/driver/se...

Status:	RESOLVED WONTFIX

Alias:	CVE-2003-0461

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Hubert Mantel
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2003-0461: CVSS v2 Base Score: 2....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2004-05-14 16:51 UTC by Thomas Biege
Modified:	2021-10-04 08:48 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2004-05-14 16:51:05 UTC

Hello, 
to make it official and trackable. 
 
> CAN-2003-0461 - Informationen aus /proc/tty/driver/serial 
> 
>   Aus /proc/tty/driver/serial kann die Anzahl der eingegebenen Zeichen 
>   abgelesen werden. Lokale Angreifer koennen diese Information dazu 
>   benutzen, die Laenge des Passworts und die Zeitabstaende zwischen 
>   einzelnen Zeichen bei der Eingabe von Passworten zu bestimmen. Dies 
>   erleichtert das Raten des Passworts.

Comment 1 Thomas Biege 2004-05-14 16:51:05 UTC

<!-- SBZ_reproduce  -->
-

Comment 2 Kurt Garloff 2004-05-15 02:46:59 UTC

Solution would be to make this file 0600?

Comment 3 Thomas Biege 2004-05-17 15:55:54 UTC

If it doesn't break anything.. yes.

Comment 4 Hubert Mantel 2004-05-18 15:57:06 UTC

If some attacker counts the characters that go over the serial line: How does he
know that someone typed a password and not simply some command? How does the
attacker know that it is the administrator sitting before the machine? How can
the attacker be sure the administrator is not typing some email but the root
password of the machine?
Of course I will happily set the mode of /proc/.../serial to mode 600. But be
sure that every single bugreport caused by this change will be assigned to the
security people. I cannot believe that you are seriously saying this is a
"vulnerability". Btw, since all other distributions are immune against this
incredibly severe problem: Which fix did they use in order to save the world?

Comment 5 Olaf Kirch 2004-05-18 16:11:37 UTC

I think we should not waste our time on this report. 
 
If you want to fix this problem properly, you would have to change 
the permissions on /proc/interrupts as well, and possibly some /sys 
files too. 
 
While we're at it, we should probably disable the stat64 system call 
as well, because it lets you retrieve the mtime of any pty at 
nanosecond granularity, which is even better than just counting the number 
of keystrokes (because the delay between two key strokes gives you 
additional clues about what is being typed).

Comment 6 Thomas Biege 2004-05-18 16:13:30 UTC

Yes, right. We should change this too. :)

Comment 7 Kurt Garloff 2004-05-18 16:24:35 UTC

The immense danger does not justify any kernel change.

Comment 8 Thomas Biege 2009-10-13 19:44:15 UTC

CVE-2003-0461: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)