#VU48557 Insufficiently protected credentials in gnome-shell - CVE-2020-17489

Cybersecurity Help s.r.o.

Published: 2020-08-11 | Updated: 2020-11-19

Vulnerability identifier: #VU48557

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-17489

CWE-ID: CWE-522

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
gnome-shell
Client/Desktop applications / Software for system administration

Vendor: Gnome Development Team

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the way GNOME gnome-shell handles the password box after user logout. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. An attacker with physical access to the system can eavesdrop on the password.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

gnome-shell: 3.36.0 - 3.36.4

External links
https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Anolis OS update for gnome-shell

Red Hat Enterprise Linux 8 update for gnome-shell

openEuler 20.03 LTS SP1 update for gnome-shell

Gentoo update for GNOME Shell

Insufficiently protected credentials in gnome-shell (Alpine package)

Ubuntu update for gnome-shell

Information disclosure in GNOME gnome-shell