CVE-2012-5577 – Python keyring library versions before 0.10 cre... (How to Fix)

Q: What is the severity of CVE-2012-5577?

CVE-2012-5577 has a CVSS score of 7.5 (HIGH). Python keyring library versions before 0.10 created keyring files with world-readable permissions (0666), allowing any user on the system to read stored passwords and credentials. This affects any system using vulnerable versions of python-keyring to store sensitive data.

📋 TL;DR

Python keyring library versions before 0.10 created keyring files with world-readable permissions (0666), allowing any user on the system to read stored passwords and credentials. This affects any system using vulnerable versions of python-keyring to store sensitive data.

💻 Affected Systems

Products:

python-keyring

Versions: All versions before 0.10

Operating Systems: Linux, Unix-like systems, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where python-keyring is used to store credentials and the keyring files are created with default permissions.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Keyring by Python

View all CVEs affecting Keyring →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full credential compromise of all users on the system, leading to privilege escalation, data theft, and lateral movement within the environment.

🟠

Likely Case

Unauthorized users reading stored passwords and API keys, potentially compromising associated services and accounts.

🟢

If Mitigated

Limited impact if proper file permissions are manually set or if keyring files contain no sensitive data.

🌐 Internet-Facing: LOW - This is a local file permission issue requiring local system access.

🏢 Internal Only: HIGH - Any user on a multi-user system can read the keyring files, making shared hosting environments particularly vulnerable.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access to read the world-readable keyring files. No special tools or techniques needed beyond standard file reading.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.10 and later

Vendor Advisory: https://bitbucket.org/kang/python-keyring-lib/commits/049cd181470f1ee6c540e1d64acf1def7b1de0c1

Restart Required: No

Instructions:

1. Upgrade python-keyring to version 0.10 or later using pip: 'pip install --upgrade keyring>=0.10' 2. Verify the new version creates keyring files with proper permissions (0600).

🔧 Temporary Workarounds

Manual permission fix

linux

Manually set proper permissions on existing keyring files

chmod 600 ~/.local/share/python_keyring/keyring_pass.cfg
chmod 600 ~/.local/share/python_keyring/keyring.cfg

Alternative storage backend

all

Use a different keyring backend that doesn't create world-readable files

pip install keyrings.alt
Configure to use SecretService, KWallet, or other secure backend

🧯 If You Can't Patch

Manually set file permissions on all keyring files to 0600
Move keyring files to a directory with restricted access permissions

🔍 How to Verify

Check if Vulnerable:

Check keyring file permissions: 'ls -la ~/.local/share/python_keyring/*.cfg' - if files show -rw-rw-rw- (0666), system is vulnerable

Check Version:

python -c "import keyring; print(keyring.__version__)"

Verify Fix Applied:

After upgrade, verify new keyring files are created with -rw------- (0600) permissions

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns to keyring configuration files

Network Indicators:

None - this is a local file system vulnerability

SIEM Query:

File monitoring for read access to ~/.local/share/python_keyring/keyring*.cfg from non-owner users

📊 Metadata

CVE ID: CVE-2012-5577

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-276

Published: October 28, 2019

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2012/11/27/3 Mailing List,Third Party Advisory
https://bitbucket.org/kang/python-keyring-lib/commits/049cd181470f1ee6c540e1d64acf1def7b1de0c1 Patch,Third Party Advisory
https://bitbucket.org/kang/python-keyring-lib/issue/67/set-go-rwx-on-keyring_passcfg Permissions Required
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5577 Issue Tracking,Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2012-5577 Third Party Advisory
http://www.openwall.com/lists/oss-security/2012/11/27/3 Mailing List,Third Party Advisory
https://bitbucket.org/kang/python-keyring-lib/commits/049cd181470f1ee6c540e1d64acf1def7b1de0c1 Patch,Third Party Advisory
https://bitbucket.org/kang/python-keyring-lib/issue/67/set-go-rwx-on-keyring_passcfg Permissions Required
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5577 Issue Tracking,Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2012-5577 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2012-5577, you might also want to check these: