Vulnerabilities > CVE-2013-0240 - Cryptographic Issues vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Gnome Online Accounts (GOA) 3.4.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.5, does not properly validate SSL certificates when creating accounts such as Windows Live and Facebook accounts, which allows man-in-the-middle attackers to obtain sensitive information such as credentials by sniffing the network. Per http://www.ubuntu.com/usn/usn-1779-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10"
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1779-1.NASL description It was discovered that GNOME Online Accounts did not properly check SSL certificates when configuring online accounts. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to alter or compromise credentials and confidential information. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 65685 published 2013-03-26 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65685 title Ubuntu 11.10 / 12.04 LTS / 12.10 : gnome-online-accounts vulnerability (USN-1779-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-1779-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(65685); script_version("1.8"); script_cvs_date("Date: 2019/09/19 12:54:29"); script_cve_id("CVE-2013-0240", "CVE-2013-1799"); script_bugtraq_id(57753, 58787); script_xref(name:"USN", value:"1779-1"); script_name(english:"Ubuntu 11.10 / 12.04 LTS / 12.10 : gnome-online-accounts vulnerability (USN-1779-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that GNOME Online Accounts did not properly check SSL certificates when configuring online accounts. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to alter or compromise credentials and confidential information. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/1779-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected gnome-online-accounts and / or libgoa-1.0-0 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:gnome-online-accounts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgoa-1.0-0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/01"); script_set_attribute(attribute:"patch_publication_date", value:"2013/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(11\.10|12\.04|12\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 11.10 / 12.04 / 12.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"11.10", pkgname:"gnome-online-accounts", pkgver:"3.2.1-0ubuntu1.1")) flag++; if (ubuntu_check(osver:"11.10", pkgname:"libgoa-1.0-0", pkgver:"3.2.1-0ubuntu1.1")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"gnome-online-accounts", pkgver:"3.4.0-0ubuntu1.1")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"libgoa-1.0-0", pkgver:"3.4.0-0ubuntu1.1")) flag++; if (ubuntu_check(osver:"12.10", pkgname:"gnome-online-accounts", pkgver:"3.6.0-0ubuntu1.1")) flag++; if (ubuntu_check(osver:"12.10", pkgname:"libgoa-1.0-0", pkgver:"3.6.0-0ubuntu1.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnome-online-accounts / libgoa-1.0-0"); }NASL family Fedora Local Security Checks NASL id FEDORA_2013-2202.NASL description Backport fix for RH #908000 (CVE-2013-0240) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-02-27 plugin id 64899 published 2013-02-27 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64899 title Fedora 17 : gnome-online-accounts-3.4.2-3.fc17 (2013-2202) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-120.NASL description gnome-online-accounts was updated to do SSL certicicate checking when creating accounts, avoiding man-in-the-middle attack possibilities. (CVE-2013--240) last seen 2020-06-05 modified 2014-06-13 plugin id 74892 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74892 title openSUSE Security Update : gnome-online-accounts (openSUSE-SU-2013:0301-1)
References
- http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html
- http://secunia.com/advisories/51976
- http://secunia.com/advisories/52791
- http://ubuntu.com/usn/usn-1779-1
- https://bugzilla.gnome.org/show_bug.cgi?id=693214
- https://bugzilla.redhat.com/show_bug.cgi?id=894352
- https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=ecad8142e9ac519b9fc74b96dcb5531052bbffe1
- https://git.gnome.org/browse/gnome-online-accounts/commit/?id=bc10fdb68f75f8be84eb698ada08743b9c7c248f
- https://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e
- https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html