CVE-2015-8025 - Vulnerability Details - OpenCVE

driver/subprocs.c in XScreenSaver before 5.34 does not properly perform an internal consistency check, which allows physically proximate attackers to bypass the lock screen by hot swapping monitors.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00058.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Xscreensaver Project	Xscreensaver

Configuration 1 [-]

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*

Configuration 2 [-]

cpe:2.3:a:xscreensaver_project:xscreensaver:5.33:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-338-1	xscreensaver security update
Debian DSA	DSA-3438-1	xscreensaver security update
EUVD	EUVD-2015-7920	driver/subprocs.c in XScreenSaver before 5.34 does not properly perform an internal consistency check, which allows physically proximate attackers to bypass the lock screen by hot swapping monitors.
Ubuntu USN	USN-2789-1	XScreenSaver vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://lists.opensuse.org/opensuse-updates/2015-11/msg00102.html
http://www.debian.org/security/2016/dsa-3438
http://www.openwall.com/lists/oss-security/2015/10/24/2
http://www.openwall.com/lists/oss-security/2015/10/25/1
http://www.openwall.com/lists/oss-security/2015/10/29/12
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
http://www.securitytracker.com/id/1034052
http://www.ubuntu.com/usn/USN-2789-1
https://twitter.com/Thaolia/status/656823859304398848
https://www.jwz.org/blog/2015/10/xscreensaver-5-34/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-11-10T16:00:00

Updated: 2024-08-06T08:06:31.810Z

Reserved: 2015-10-29T00:00:00

Link: CVE-2015-8025

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-11-10T17:59:11.653

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-8025

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-10-24T00:00:00", "descriptions": [{"lang": "en", "value": "driver/subprocs.c in XScreenSaver before 5.34 does not properly perform an internal consistency check, which allows physically proximate attackers to bypass the lock screen by hot swapping monitors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-05T22:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jwz.org/blog/2015/10/xscreensaver-5-34/"}, {"name": "1034052", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1034052"}, {"name": "openSUSE-SU-2015:2032", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00102.html"}, {"name": "DSA-3438", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3438"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"}, {"name": "[oss-security] 20151024 CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/10/24/2"}, {"name": "[oss-security] 20151025 Re: CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/10/25/1"}, {"name": "[oss-security] 20151029 Re: CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/10/29/12"}, {"tags": ["x_refsource_MISC"], "url": "https://twitter.com/Thaolia/status/656823859304398848"}, {"name": "USN-2789-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2789-1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-8025", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "driver/subprocs.c in XScreenSaver before 5.34 does not properly perform an internal consistency check, which allows physically proximate attackers to bypass the lock screen by hot swapping monitors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.jwz.org/blog/2015/10/xscreensaver-5-34/", "refsource": "CONFIRM", "url": "https://www.jwz.org/blog/2015/10/xscreensaver-5-34/"}, {"name": "1034052", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1034052"}, {"name": "openSUSE-SU-2015:2032", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00102.html"}, {"name": "DSA-3438", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3438"}, {"name": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"}, {"name": "[oss-security] 20151024 CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/10/24/2"}, {"name": "[oss-security] 20151025 Re: CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/10/25/1"}, {"name": "[oss-security] 20151029 Re: CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/10/29/12"}, {"name": "https://twitter.com/Thaolia/status/656823859304398848", "refsource": "MISC", "url": "https://twitter.com/Thaolia/status/656823859304398848"}, {"name": "USN-2789-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2789-1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T08:06:31.810Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jwz.org/blog/2015/10/xscreensaver-5-34/"}, {"name": "1034052", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1034052"}, {"name": "openSUSE-SU-2015:2032", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00102.html"}, {"name": "DSA-3438", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3438"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"}, {"name": "[oss-security] 20151024 CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/10/24/2"}, {"name": "[oss-security] 20151025 Re: CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/10/25/1"}, {"name": "[oss-security] 20151029 Re: CVE request: xscreensaver aborts when unpluging second monitor cable when asking password", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/10/29/12"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://twitter.com/Thaolia/status/656823859304398848"}, {"name": "USN-2789-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2789-1"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-8025", "datePublished": "2015-11-10T16:00:00", "dateReserved": "2015-10-29T00:00:00", "dateUpdated": "2024-08-06T08:06:31.810Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xscreensaver_project:xscreensaver:5.33:*:*:*:*:*:*:*", "matchCriteriaId": "1E905914-5F5A-44E7-BE79-8175DBC53EEE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "driver/subprocs.c in XScreenSaver before 5.34 does not properly perform an internal consistency check, which allows physically proximate attackers to bypass the lock screen by hot swapping monitors."}, {"lang": "es", "value": "driver/subprocs.c en XScreenSaver en versiones anteriores a 5.34 no lleva a cabo correctamente una comprobaci\u00f3n de consistencia interna, lo que permite a atacantes f\u00edsicamente pr\u00f3ximos eludir la pantalla de bloqueo cambiando los monitores sin apagar el dispositivo."}], "id": "CVE-2015-8025", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-11-10T17:59:11.653", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00102.html"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2016/dsa-3438"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.openwall.com/lists/oss-security/2015/10/24/2"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/10/25/1"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/10/29/12"}, {"source": "cve@mitre.org", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1034052"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-2789-1"}, {"source": "cve@mitre.org", "url": "https://twitter.com/Thaolia/status/656823859304398848"}, {"source": "cve@mitre.org", "url": "https://www.jwz.org/blog/2015/10/xscreensaver-5-34/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00102.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3438"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.openwall.com/lists/oss-security/2015/10/24/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/10/25/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/10/29/12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1034052"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2789-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://twitter.com/Thaolia/status/656823859304398848"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.jwz.org/blog/2015/10/xscreensaver-5-34/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}