Debian DLA-1959-1 : xtrlock security update

medium Nessus Plugin ID 129855

Synopsis

The remote Debian host is missing a security update.

Description

It was discovered that multitouch devices were not being disabled by the 'xtrlock' screen locking utility.

xtrlock did not block multitouch events so an attacker could still input and thus control various programs such as Chromium, etc. via so-called 'multitouch' events including pan scrolling, 'pinch and zoom' or even being able to provide regular mouse clicks by depressing the touchpad once and then clicking with a secondary finger.

For Debian 8 'Jessie', this issue has been fixed in xtrlock version 2.6+deb8u1. However, this fix does not the situation where an attacker plugs in a multitouch device *after* the screen has been locked. For more information on this, please see :

https://bugs.debian.org/830726#115

We recommend that you upgrade your xtrlock packages pending a deeper fix.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected xtrlock package.

See Also

https://bugs.debian.org/830726#115

https://lists.debian.org/debian-lts-announce/2019/10/msg00019.html

https://packages.debian.org/source/jessie/xtrlock

Plugin Details

Severity: Medium

ID: 129855

File Name: debian_DLA-1959.nasl

Version: 1.5

Type: local

Agent: unix

Published: 10/15/2019

Updated: 4/18/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2016-10894

CVSS v3

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 4

Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:8.0, p-cpe:/a:debian:debian_linux:xtrlock

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 10/14/2019

Vulnerability Publication Date: 8/16/2019

Reference Information

CVE: CVE-2016-10894