CVE-2013-7252

kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack.

Published Bysecalert@redhat.com

Published DateJan 18, 2015, 18:59

Weakness Type (CWE):CWE-310

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE

References

http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/
http://www.openwall.com/lists/oss-security/2014/01/02/3
http://www.openwall.com/lists/oss-security/2015/01/09/7
http://www.securityfocus.com/bid/67716
https://bugzilla.redhat.com/show_bug.cgi?id=1048168
https://security.gentoo.org/glsa/201606-19
https://www.kde.org/info/security/advisory-20150109-1.txt

Weakness Type (CWE):CWE-310

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE