A vulnerability was found in Ayatana Unity up to 7.2.0. It has been classified as problematic. Affected is an unknown function of the component Lock Screen. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-264. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Unity before 7.2.1, as used in Ubuntu 14.04, does not properly restrict access to the Dash when the lock screen is active, which allows physically proximate attackers to bypass the lock screen and execute arbitrary commands, as demonstrated by pressing the SUPER key before the screen auto-locks.

The weakness was shared 05/06/2014 (Website). The advisory is available at bugs.launchpad.net. This vulnerability is traded as CVE-2014-3203 since 05/03/2014. Local access is required to approach this attack. The exploitation doesn't require any form of authentication. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1068 by the MITRE ATT&CK project.

The commercial vulnerability scanner Qualys is able to test this issue with plugin 195462 (Ubuntu Security Notification for Unity Vulnerabilities (USN-2184-1)).

Upgrading to version 7.1.0 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at X-Force (93066). The entry 13152 is related to this item.

Productinfo

Vendor

• Ayatana

Name

• Unity

Version

• 7.0.0
• 7.0.1
• 7.1.0
• 7.1.1
• 7.1.2
• 7.1.3
• 7.2.0

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion