6.9 - CVE-2013-4325

Executive Summary

Informations
Name	CVE-2013-4325	First vendor Publication	2013-09-23
Vendor	Cve	Last vendor Modification	2014-01-14

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	6.9	Attack Range	Local
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	3.4	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

The check_permission_v1 function in base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.9 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4325

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-264	Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:19347

Oval ID:	oval:org.mitre.oval:def:19347
Title:	USN-1956-1 -- hplip vulnerability
Description:	HPLIP could be tricked into bypassing polkit authorizations.
Family:	unix	Class:	patch
Reference(s):	USN-1956-1 CVE-2013-4325	Version:	5
Platform(s):	Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04	Product(s):	hplip
Definition Synopsis:
Release section Ubuntu 13.04 is installed AND hplip DPKG is earlier than 0:3.13.3-1ubuntu0.1 AND Release section Ubuntu 12.10 is installed AND hplip DPKG is earlier than 0:3.12.6-3ubuntu4.1 AND Release section Ubuntu 12.04 is installed AND hplip DPKG is earlier than 0:3.12.2-1ubuntu3.2 AND Release section Ubuntu 10.04 is installed AND hplip DPKG is earlier than 0:3.10.2-2ubuntu2.3

Definition Id: oval:org.mitre.oval:def:21246

Oval ID:	oval:org.mitre.oval:def:21246
Title:	RHSA-2013:1274: hplip security update (Important)
Description:	The check_permission_v1 function in base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.9 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process.
Family:	unix	Class:	patch
Reference(s):	RHSA-2013:1274-00 CESA-2013:1274 CVE-2013-4325	Version:	4
Platform(s):	Red Hat Enterprise Linux 6 CentOS Linux 6	Product(s):	hplip
Definition Synopsis:
Redhat 6 or Centos 6 release The operating system installed on the system is Red Hat Enterprise Linux 6 AND CentOS Linux 6.x Packages section hplip-common is earlier than 0:3.12.4-4.el6_4.1 AND hplip-libs is earlier than 0:3.12.4-4.el6_4.1 AND libsane-hpaio is earlier than 0:3.12.4-4.el6_4.1 AND hplip is earlier than 0:3.12.4-4.el6_4.1 AND hplip-gui is earlier than 0:3.12.4-4.el6_4.1 AND hpijs is earlier than 1:3.12.4-4.el6_4.1

Definition Id: oval:org.mitre.oval:def:23555

Oval ID:	oval:org.mitre.oval:def:23555
Title:	ELSA-2013:1274: hplip security update (Important)
Description:	The check_permission_v1 function in base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.9 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process.
Family:	unix	Class:	patch
Reference(s):	ELSA-2013:1274-00 CVE-2013-4325	Version:	6
Platform(s):	Oracle Linux 6	Product(s):	hplip
Definition Synopsis:
Oracle Linux 6.x rpm test hplip-common is earlier than 0:3.12.4-4.el6_4.1 AND hplip-libs is earlier than 0:3.12.4-4.el6_4.1 AND libsane-hpaio is earlier than 0:3.12.4-4.el6_4.1 AND hplip is earlier than 0:3.12.4-4.el6_4.1 AND hplip-gui is earlier than 0:3.12.4-4.el6_4.1 AND hpijs is earlier than 1:3.12.4-4.el6_4.1

Definition Id: oval:org.mitre.oval:def:27501

Oval ID:	oval:org.mitre.oval:def:27501
Title:	DEPRECATED: ELSA-2013-1274 -- hplip security update (important)
Description:	[3.12.4-4:.1] - Applied patch to avoid unix-process authorization subject when using polkit as it is racy (CVE-2013-4325).
Family:	unix	Class:	patch
Reference(s):	ELSA-2013-1274 CVE-2013-4325	Version:	4
Platform(s):	Oracle Linux 6	Product(s):	hplip
Definition Synopsis:
Oracle Linux 6.x Packages match section hplip is earlier than 0:3.12.4-4.el6_4.1 AND hpijs is earlier than 0:3.12.4-4.el6_4.1 AND hplip-common is earlier than 0:3.12.4-4.el6_4.1 AND hplip-gui is earlier than 0:3.12.4-4.el6_4.1 AND hplip-libs is earlier than 0:3.12.4-4.el6_4.1 AND libsane-hpaio is earlier than 0:3.12.4-4.el6_4.1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Hp Linux Imaging And Printing Project cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.8:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.6:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.4b:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.4:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.2:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.12:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.10:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.9:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.8:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.7:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.6:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.5:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.4:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.3:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.2:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.9:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.6:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.4:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.2:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.11:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.10:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.10:a:::::: cpe:2.3:a:hp:linux_imaging_and_printing_project:3.11.7:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.11.5:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.11.3a:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.11.3:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.11.10:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.11.1:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.10.9:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.10.6:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.10.5:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:3.10.2:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:2.7.10:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:2.0:::::::* cpe:2.3:a:hp:linux_imaging_and_printing_project:1.0:::::::*	35

Nessus® Vulnerability Scanner

Date	Description
2014-06-27	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201406-27.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-812.nasl - Type : ACT_GATHER_INFO
2014-02-04	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_hplip-140116.nasl - Type : ACT_GATHER_INFO
2013-12-31	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2829.nasl - Type : ACT_GATHER_INFO
2013-10-20	Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-291-01.nasl - Type : ACT_GATHER_INFO
2013-10-20	Name : The remote Fedora host is missing a security update. File : fedora_2013-17112.nasl - Type : ACT_GATHER_INFO
2013-10-10	Name : The remote Fedora host is missing a security update. File : fedora_2013-17171.nasl - Type : ACT_GATHER_INFO
2013-09-28	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-243.nasl - Type : ACT_GATHER_INFO
2013-09-20	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1274.nasl - Type : ACT_GATHER_INFO
2013-09-20	Name : The remote Fedora host is missing a security update. File : fedora_2013-17127.nasl - Type : ACT_GATHER_INFO
2013-09-20	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1274.nasl - Type : ACT_GATHER_INFO
2013-09-20	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1274.nasl - Type : ACT_GATHER_INFO
2013-09-20	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130919_hplip_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2013-09-19	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1956-1.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source	Url
CONFIRM	https://bugzilla.redhat.com/show_bug.cgi?id=1002375 https://bugzilla.redhat.com/show_bug.cgi?id=1006674
DEBIAN	http://www.debian.org/security/2013/dsa-2829
REDHAT	http://rhn.redhat.com/errata/RHSA-2013-1274.html
SUSE	http://lists.opensuse.org/opensuse-updates/2013-10/msg00062.html http://lists.opensuse.org/opensuse-updates/2013-11/msg00000.html
UBUNTU	http://www.ubuntu.com/usn/USN-1956-1

Alert History

If you want to see full details history, please login or register.

Date	Informations
2021-05-04 12:27:14	Multiple Updates
2021-04-22 01:32:59	Multiple Updates
2020-05-23 00:37:58	Multiple Updates
2016-04-26 23:32:24	Multiple Updates
2014-06-28 13:27:13	Multiple Updates
2014-06-14 13:36:03	Multiple Updates
2014-02-17 11:22:00	Multiple Updates
2014-01-14 13:20:34	Multiple Updates
2013-12-08 13:19:33	Multiple Updates
2013-10-01 17:19:56	Multiple Updates
2013-09-27 13:21:31	Multiple Updates
2013-09-24 00:20:26	Multiple Updates
2013-09-23 21:20:14	First insertion

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	4
CPE ID(s)	35
Sources(s)	7
Nessus® Exploit(s)	14

	Related
7.2	MDVSA-2013:243
7.2	GLSA-201406-27
6.9	USN-1956-1
6.9	RHSA-2013:1274
6.9	DSA-2829
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 5 more Alert(s)

6.9 - CVE-2013-4325

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

Nessus® Vulnerability Scanner

Sources (Detail)

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU