PT-2013-1180 · None+4 · Polkit+4

Sebastian Krahmer

Publicado

2013-09-19

Atualizado

2024-06-15

CVE-2013-4288

CVSS v2.0

7.2

Alta

Vetor

AV:L/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions polkit versions 0.96 hplip versions prior to 3.14.1

Description The issue allows local users to bypass intended restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to the polkit unix process new API function, the dbus API, or the --process (unix-process) option for authorization to pkcheck. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation of the issue can be carried out locally.

Recommendations For polkit version 0.96, consider disabling the polkit unix process new function until a patch is available. For hplip versions prior to 3.14.1, update to version 3.14.1 or later to resolve the issue. As a temporary workaround, restrict access to the pkcheck authorization process to minimize the risk of exploitation.

Correção

Race Condition

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-362

Identificadores relacionados

ALT-PU-2015-1588

BDU:2015-06853

BDU:2015-06854

BDU:2015-06855

BDU:2015-06856

BDU:2015-06857

BDU:2015-09038

BDU:2015-09039

BDU:2015-09040

BDU:2015-09041

BDU:2015-09042

BDU:2015-09744

CESA-2013_1270

CVE-2013-4288

MGASA-2013-0293

OPENSUSE-SU-2024:10356-1

OPENSUSE-SU-2024:10436-1

RHSA-2013:1270

RHSA-2013_1270

Produtos afetados

Alt Linux

Centos

Red Hat

Hplip

Polkit

PT-2013-1180 · None+4 · Polkit+4

CVE-2013-4288

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 55