CVE-2019-3825

Impact:
Moderate
Public Date:
2019-02-06
CWE:
CWE-287
Bugzilla:
1672825: CVE-2019-3825 gdm: lock screen bypass when timed login is enabled
A vulnerability was discovered in gdm when timed login is enabled in configuration. An attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire at which time they would gain access to the logged-in user's session.

Find out more about CVE-2019-3825 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 6.3
CVSS3 Base Metrics CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Physical
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 gdm Affected
Red Hat Enterprise Linux 6 gdm Will not fix

Acknowledgements

Red Hat would like to thank the GNOME Project for reporting this issue. Upstream acknowledges Burghard Britzke as the original reporter.

Mitigation

Ensure timed login is not enabled in gdm configuration, by checking the output of:

grep TimedLogin /etc/gdm/custom.conf

External References

Last Modified