PT-2014-1805 · Kde+5 · Kdelibs+6

Published

2014-07-23

Updated

2014-10-29

CVE-2014-5033

CVSS v2.0

6.9

Medium

Vector

AV:L/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions polkit-qt versions 0.103.0 kdelibs versions prior to 4.14 kauth versions prior to 5.1

Description The issue allows local users to bypass intended access restrictions, potentially leading to a violation of confidentiality, integrity, and availability of protected information. This can be exploited locally. The problem is related to a PolkitUnixProcess PolkitSubject race condition via a setuid process or pkexec process.

Recommendations For polkit-qt version 0.103.0, update to a newer version that contains a fix for this issue. For kdelibs versions prior to 4.14, update to version 4.14 or later. For kauth versions prior to 5.1, update to version 5.1 or later. As a temporary workaround, consider restricting access to the polkit authority to minimize the risk of exploitation.

Exploit

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

BDU:2015-04138

BDU:2015-06858

BDU:2015-06859

BDU:2015-06860

BDU:2015-06861

BDU:2015-09215

BDU:2015-09216

BDU:2015-09217

BDU:2015-09218

CESA-2014_1359

CVE-2014-5033

DLA-76-1

DSA-3004-1

MGASA-2014-0327

MGASA-2014-0432

RHSA-2014:1359

RHSA-2014_1359

USN-2304-1

Affected Products

Centos

Red Hat

Ubuntu

Kauth

Kdelibs

Pkexec

Polkit-Qt

PT-2014-1805 · Kde+5 · Kdelibs+6

CVE-2014-5033

Weakness Enumeration

Related Identifiers

Affected Products

References · 82