Oracle Solaris Third-Party Patch Update : libdbus (cve_2012_3524_permissions_privileges)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote Solaris system is missing a security patch for third-party
software.

Description :

The remote Solaris system is missing necessary patches to address
security updates :

- libdbus 1.5.x and earlier, when used in setuid or other
privileged programs in X.org and possibly other
products, allows local users to gain privileges and
execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS
environment variable. NOTE: libdbus maintainers state
that this is a vulnerability in the applications that do
not cleanse environment variables, not in libdbus
itself: 'we do not support use of libdbus in setuid
binaries that do not sanitize their environment before
their first call into libdbus.' (CVE-2012-3524)

See also :

http://www.nessus.org/u?b5f8def1
http://www.nessus.org/u?dfd45fe5

Solution :

Upgrade to Solaris 11/11 SRU 12.4.

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Family: Solaris Local Security Checks

Nessus Plugin ID: 80665 ()

Bugtraq ID:

CVE ID: CVE-2012-3524

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now