Bug 1124628 (CVE-2019-3825) - VUL-0: CVE-2019-3825: gdm: lock screen bypass when timed login is enabled
Summary: VUL-0: CVE-2019-3825: gdm: lock screen bypass when timed login is enabled
Status: RESOLVED FIXED
Alias: CVE-2019-3825
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/224336/
Whiteboard: CVSSv3:RedHat:CVE-2019-3825:6.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-07 12:21 UTC by Robert Frohl
Modified: 2024-05-07 09:24 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-02-07 12:21:27 UTC 
rh#1672825

A vulnerability was discovered in gdm before 3.31.4. When timed login is enabled
in configuration, an attacker could bypass the lock screen by selecting the
timed login user and waiting for the timer to expire, at which time they would
gain access to the logged-in user's session.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3825
https://bugzilla.redhat.com/show_bug.cgi?id=1672825
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3825
https://gitlab.gnome.org/GNOME/gdm/issues/460
Comment 1 Felix Zhang 2019-02-14 11:58:56 UTC 
Reproducible on SLE15 but not on SLE12, where from the code sessions only start conversation when created.
Comment 6 Swamp Workflow Management 2019-03-01 17:10:50 UTC 
SUSE-SU-2019:0527-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1112294,1112578,1113245,1113700,1120307,1124628
CVE References: CVE-2019-3825
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    gdm-3.26.2.1-13.19.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    gdm-3.26.2.1-13.19.2
Comment 7 Swamp Workflow Management 2019-03-09 08:31:09 UTC 
openSUSE-SU-2019:0310-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1112294,1112578,1113245,1113700,1120307,1124628
CVE References: CVE-2019-3825
Sources used:
openSUSE Leap 15.0 (src):    gdm-3.26.2.1-lp150.11.9.1
Comment 8 Swamp Workflow Management 2019-03-19 10:24:49 UTC 
openSUSE-SU-2019:0310-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1112294,1112578,1113245,1113700,1120307,1124628
CVE References: CVE-2019-3825
Sources used:
openSUSE Leap 15.0 (src):    gdm-3.26.2.1-lp150.11.9.1
Comment 10 Thomas Leroy 2024-05-07 09:24:18 UTC 
All done, closing.