openEuler 20.03 LTS SP1 update for gnome-shell

1) Insufficiently protected credentials

EUVDB-ID: #VU48557

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-17489

CWE-ID: CWE-522 - Insufficiently Protected Credentials

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the way GNOME gnome-shell handles the password box after user logout. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. An attacker with physical access to the system can eavesdrop on the password.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1

gnome-shell-help: before 3.30.1-8

gnome-shell-debugsource: before 3.30.1-8

gnome-shell-debuginfo: before 3.30.1-8

gnome-shell: before 3.30.1-8

CPE2.3

• cpe:2.3:o:openeuler:openeuler:20.03:LTS SP1:*:*:*:*:*:*
• cpe:2.3:a:openeuler:gnome-shell-help:*:*:*:*:*:openeuler:*:*
• cpe:2.3:a:openeuler:gnome-shell-debugsource:*:*:*:*:*:openeuler:*:*
• cpe:2.3:a:openeuler:gnome-shell-debuginfo:*:*:*:*:*:openeuler:*:*
• cpe:2.3:a:openeuler:gnome-shell:*:*:*:*:*:openeuler:*:*

External links

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1152

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.