#VU17709 Security restrictions bypass in gnome-shell - CVE-2019-3820


Vulnerability identifier: #VU17709

Vulnerability risk: Medium

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-3820

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
gnome-shell
Client/Desktop applications / Software for system administration

Vendor: Gnome Development Team

Description

The vulnerability allows a physical attacker to bypass security restrictions on the system.

The vulnerability exists due to the lock screen feature does not properly restrict all contextual actions. A physical attacker can click on the password text field to bypass the lock screen and re-enable certain keyboard shortcuts, which the attacker can use to perform unauthorized actions on the system.

Mitigation
Update to version 3.31.90.

Vulnerable software versions

gnome-shell: 3.15.91 - 3.19.92, 3.20.0 - 3.29.92, 3.30.0 - 3.31.4

External links
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3820
https://gitlab.gnome.org/GNOME/gnome-shell/issues/851

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for gnome-shell
Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)
openEuler update for gnome-shell
CentOS 7 update for gnome-settings-daemon
Red Hat Enterprise Linux 7 update for GNOME
OpenSUSE Linux update for gnome-shell
OpenSUSE Linux update for gnome-shell
Ubuntu update for GNOME Shell
Arch Linux update for gdm
Arch Linux update for gdm