Dont Blink Against The Ubuntu Information Leak Vulnerability(CVE-2016-1000002)Paz 21 Ocak 2018
Will we always talk about success stories? This time, I am writing about how I failed and what I learned from that.
You can ask why I make the title as "Don’t Blink." This catchword reminded me a part of the Doctor Who. On this occasion, I also wanted to talk about the angels. Yes, we can start with a brief introduction.
The weeping angel is an alien race from Doctor Who series who looks like a statue of a winged that their faces covered by his hands. Angels can send people back to a time with touching people. So they could absorb life-energy of that person. They are also physically so powerful. There is only one thing that can say about them: "Don’t Blink."
When I came across CVE-referenced vulnerability, That's the first word is "Weeping Angels" that came to mind. I guess I'm lucky because of I did not blink my eyes at that moment :)
First, When I've switched from standby mode to normal mode, I discovered the vulnerability.
Reproduction Steps :
- Log in once
- Open a sensitive document. For example, a password file, Gmail, Instant messaging, etc.
- Stand-By my laptop
- close the laptop's monitor.
- Wait 3-5 seconds and open the laptop's monitor.
- The desktop seems for a short time.
- The attacker can obtain a lot of sensitive information.
I was surprised after seeing this. An important part of my mail could see when frame - by - frame playback that I have already taken video from my screen via a camera. I got a result from this vulnerability shortly.
I immediately sent a mail to Ubuntu Security, but they told me that others have already found it. I saw that CVE-2016-1000002 created, and It marked "LOW" with 2.4 CVSS scores.
We can see that it has a low score because it needs to be physically accessible. A dialogue has passed about this vulnerability in Redhat Bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1391126 )
Question: WHY won’t fix?
Answer: “Requirement for physical access of the attacker and limited information disclosure as the only impact makes this a Low impact bug, hence WONTFIX.”
When I consider the important points that underlined, I need to redefine the "attacker" at that.
Who is the attacker?
CVSS: Attack vector Physical (P) : “Vulnerable component must be physically touched or controlled by the attacker.”
Yes, in the above definition, Physically threat was defined as a person coming from outside the company but what would you do in case of a possible insider threat?
I do not think that the CVSS results accurately reflect the physical threats.The fact that the CVSS score is "low" that It does not mean you could be less attention to human movements in the office. Your any office friend who is an insider threat could exploit this vulnerability even that having no technical knowledge.
So, it is a high risk if this vulnerability will not be patched. Also, I would like to make the finish with the bonus video below.