CVE-2013-7273 in Display Managerinfo

Summary

by MITRE

GNOME Display Manager (gdm) 3.4.1 and earlier, when disable-user-list is set to true, allows local users to cause a denial of service (unable to login) by pressing the cancel button after entering a user name.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/12/2026

The vulnerability identified as CVE-2013-7273 affects GNOME Display Manager versions 3.4.1 and earlier, specifically when the disable-user-list configuration parameter is enabled. This flaw represents a denial of service condition that fundamentally undermines the authentication mechanism of the display manager. The issue manifests when local users exploit a specific interaction pattern within the login process, creating a scenario where legitimate authentication attempts become impossible. The vulnerability resides in how gdm handles user input and state management during the authentication flow, particularly when the user list is disabled and the system expects specific interaction sequences.

The technical implementation of this vulnerability stems from inadequate input validation and state handling within the gdm authentication subsystem. When disable-user-list is enabled, the display manager operates under the assumption that users will either select from a predefined list or provide credentials directly. However, the code fails to properly account for the scenario where a user enters a username and then cancels the operation, leading to an inconsistent internal state that prevents subsequent login attempts. This represents a classic case of improper error handling and state management, which aligns with CWE-390, indicating a lack of proper error handling that can lead to system instability. The flaw demonstrates a weakness in the input validation process where the system does not adequately validate the sequence of user interactions, particularly when dealing with cancellation events.

The operational impact of this vulnerability extends beyond simple service disruption, as it creates a persistent authentication barrier that affects all users attempting to log into the system. Local users can exploit this condition repeatedly, making it particularly dangerous in multi-user environments where the denial of service could be used as a persistent attack vector. The vulnerability essentially locks users out of their own systems through legitimate interaction patterns, creating a scenario where the system becomes unusable for authentication purposes. This condition can be particularly problematic in enterprise environments where display manager accessibility and system availability are critical components of the overall security infrastructure. The attack requires minimal privileges and can be executed by any local user, making it a significant concern for system administrators who must maintain continuous service availability.

Mitigation strategies for this vulnerability involve immediate patching of the gdm component to versions that address the specific state management issue. System administrators should disable the disable-user-list configuration parameter until the vulnerability is resolved, as this eliminates the attack vector entirely. Additionally, monitoring for unusual login patterns and implementing proper logging of authentication attempts can help detect exploitation attempts. The vulnerability also highlights the importance of proper input validation and state management in authentication systems, aligning with ATT&CK technique T1547.001 which covers registry run keys and startup folder. Organizations should conduct regular security assessments of their display manager configurations and ensure that all authentication components maintain proper state consistency. The incident also underscores the need for comprehensive testing of edge cases in authentication flows, particularly when dealing with user cancellation and alternative input methods that could lead to inconsistent system states.

Reservation

01/07/2014

Disclosure

04/29/2014

Moderation

accepted

Entry

VDB-12079

CPE

ready

EPSS

0.00368

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!