Executive Summary

Summary
Titledbus security update
Informations
NameDSA-4462First vendor Publication2019-06-13
VendorDebianLast vendor Modification2019-06-13
Severity (Vendor) N/ARevision1

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:N)
Cvss Base Score3.6Attack RangeLocal
Cvss Impact Score4.9Attack ComplexityLow
Cvss Expoit Score3.9AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Joe Vennix discovered an authentication bypass vulnerability in dbus, an asynchronous inter-process communication system. The implementation of the DBUS_COOKIE_SHA1 authentication mechanism was susceptible to a symbolic link attack. A local attacker could take advantage of this flaw to bypass authentication and connect to a DBusServer with elevated privileges.

The standard system and session dbus-daemons in their default configuration are not affected by this vulnerability.

The vulnerability was addressed by upgrading dbus to a new upstream version 1.10.28 which includes additional fixes.

For the stable distribution (stretch), this problem has been fixed in version 1.10.28-0+deb9u1.

We recommend that you upgrade your dbus packages.

For the detailed security status of dbus please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dbus

Original Source

Url : http://www.debian.org/security/2019/dsa-4462

CWE : Common Weakness Enumeration

%idName
100 %CWE-287Improper Authentication

CPE : Common Platform Enumeration

TypeDescriptionCount
Application63
Os4

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2019-06-14 00:19:33
  • First insertion