Bug 1028792 - (CVE-2017-6590) VUL-1: CVE-2017-6590: NetworkManager-gnome: Access to local files and execution of arbitrary commands as the lightdm user
VUL-1: CVE-2017-6590: NetworkManager-gnome: Access to local files and executi...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2017-03-10 06:16 UTC by Marcus Meissner
Modified: 2021-01-07 11:00 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-03-10 06:16:28 UTC

An issue was discovered in network-manager-applet (aka network-manager-gnome) in
Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS, and 16.10. A local attacker could use
this issue at the default Ubuntu login screen to access local files and execute
arbitrary commands as the lightdm user. The exploitation requires physical
access to the locked computer and the Wi-Fi must be turned on. An access point
that lets you use a certificate to login is required as well, but it's easy to
create one. Then, it's possible to open a nautilus window and browse
directories. One also can open some applications such as Firefox, which is
useful for downloading malicious binaries.

Comment 1 Marcus Meissner 2017-03-10 06:47:08 UTC
This is partially an issue of the display manager too.

Its not clear to me if it affects SLED/SLES+WE or openSUSE
Comment 2 Frederic Crozat 2017-03-14 13:30:50 UTC
(In reply to Marcus Meissner from comment #1)
> This is partially an issue of the display manager too.

It affects lightdm, so SLE is not affected.