CVE-2021-34557 — MEDIUM (4.6)

Vulnerability Description

XScreenSaver 5.45 can be bypassed if the machine has more than ten disconnectable video outputs. A buffer overflow in update_screen_layout() allows an attacker to bypass the standard screen lock authentication mechanism by crashing XScreenSaver. The attacker must physically disconnect many video outputs.

CVSS Score

4.6

MEDIUM

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Xscreensaver Project	Xscreensaver	5.45
Fedoraproject	Fedora	33

Related Weaknesses (CWE)

CWE-120

References

http://www.openwall.com/lists/oss-security/2021/06/11/1Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/07/06/2ExploitMailing ListThird Party Advisory
https://github.com/QubesOS/qubes-issues/issues/6595Issue TrackingThird Party Advisory
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-068-2021.txtExploitThird Party Advisory
https://github.com/QubesOS/qubes-xscreensaver/blob/master/0001-Fix-updating-outpPatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.openwall.com/lists/oss-security/2021/06/05/1ExploitMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/06/11/1Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/07/06/2ExploitMailing ListThird Party Advisory
https://github.com/QubesOS/qubes-issues/issues/6595Issue TrackingThird Party Advisory
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-068-2021.txtExploitThird Party Advisory
https://github.com/QubesOS/qubes-xscreensaver/blob/master/0001-Fix-updating-outpPatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.openwall.com/lists/oss-security/2021/06/05/1ExploitMailing ListThird Party Advisory

FAQ

What is CVE-2021-34557?

CVE-2021-34557 is a vulnerability with a CVSS score of 4.6 (MEDIUM). XScreenSaver 5.45 can be bypassed if the machine has more than ten disconnectable video outputs. A buffer overflow in update_screen_layout() allows an attacker to bypass the standard screen lock authe...

How severe is CVE-2021-34557?

CVE-2021-34557 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-34557?

Check the references section above for vendor advisories and patch information. Affected products include: Xscreensaver Project Xscreensaver, Fedoraproject Fedora.