Bugzilla – Bug 852101
VUL-0: CVE-2013-3710: slms: Security issue - rails secret token for SLMS is not generated and is always same
Last modified: 2013-12-10 16:34:11 UTC
I have assigned CVE-2013-3710 to this problem.
bugbot adjusting priority
Update released for: slms, slms-core, slms-customer-center, slms-devel-doc, slms-external, slms-registration, slms-testsuite Products: SLE-SLMS 1.3 (x86_64)
This issue was found after reports by joernchen of Phenoelit. Summarized: - SLMS previously replaced the secret key that shipped with a one generated at service start. This functionality was lost during a rails version upgrade. The update reinstates this key replacement on service start. - The secret keys were world readable, allowing local attackers to gain the privilege of the SLMS user.
was released
This had some CVE adjustments that Mitre mailed me: Hello Marcus, We are processing CVE-2013-3710 from https://bugzilla.novell.com/show_bug.cgi?id=852101 and https://www.suse.com/support/update/announcement/2013/suse-su-20131813-1.html, and we noticed th at there were actually two different types of issues being covered: - "static key" being generated across different installations - world-readable permissions for keys Although these are both under the same Novell bug ID, we need to SPLIT them into different IDs because they cover different vulnerability types. We will keep CVE-2013-3710 associated with the static key since (1) that seems to be the primary emphasis in already-published materials, and (2) many people would likely regard this as mor e severe than the world-readable permission issue. We also assigned CVE-2013-7042 for the world-readable permissions. Both CVEs will show up in NVD within an hour, and on the public CVE web site within 1 or 2 business days. Regards, Steve