oss-sec mailing list archives

Re: oath-toolkit PAM module OTP token invalidation issue

From: cve-assign () mitre org
Date: Sun, 9 Feb 2014 19:34:47 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00000.html

There is a test file with comments in the distribution, so I believe
this is an actual bug with security implications

leaving it vulnerable to replay of OTPs

It will keep on updating the commented-out entry, whilst leaving the
entry for secret "efgh" untouched.

because skipped_users wasn't incremented, writes the update to the
commented out line.


Use CVE-2013-7322.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS+B46AAoJEKllVAevmvmsO2YIAJSIxibnCt7XB5FsnFJcBuF9
7annA5UGUk75GAEo9t4aSZ/DwbFpnEdlhLmxkOB4GZev2qtHCcue3K5q/eFxVn4M
oivsISYzL+9rt0w1uEADIsxBb47cEXckEYSOQDOsHB5nO0CXo2+iNzkrqf5Z0oCo
BhiVM2rxX14QH69L0u1NxFJELgZRixEv13VdJwLuIblkElYqASK9G+rjQeYGpQta
7PA6+7uQQILZ6NmRE/Ypd97XE6/5LREizbFBso/ww1CfTwfCDkANDdNLNaz13Io8
2ZPIt6WNJQ1ToR5E+BE7tuyIvIkrRhZNLyqX0aXXBZyYMeTDOozRuNouXx0ucr8=
=NIuV
-----END PGP SIGNATURE-----

Current thread:

oath-toolkit PAM module OTP token invalidation issue Florian Weimer (Feb 07)
- Re: oath-toolkit PAM module OTP token invalidation issue cve-assign (Feb 09)