Detections
Analytics
Debian DSA-4462-1 : dbus - security update
high Nessus Plugin ID 125905
Language:
Synopsis
The remote Debian host is missing a security-related update.Description
Joe Vennix discovered an authentication bypass vulnerability in dbus, an asynchronous inter-process communication system. The implementation of the DBUS_COOKIE_SHA1 authentication mechanism was susceptible to a symbolic link attack. A local attacker could take advantage of this flaw to bypass authentication and connect to a DBusServer with elevated privileges.The standard system and session dbus-daemons in their default configuration are not affected by this vulnerability.
The vulnerability was addressed by upgrading dbus to a new upstream version 1.10.28 which includes additional fixes.
Solution
Upgrade the dbus packages.For the stable distribution (stretch), this problem has been fixed in version 1.10.28-0+deb9u1.
See Also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930375
https://security-tracker.debian.org/tracker/source-package/dbus
Plugin Details
Severity: High
ID: 125905
File Name: debian_DSA-4462.nasl
Version: 1.2
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 6/14/2019
Updated: 1/10/2020
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.2
CVSS v2
Risk Factor: Low
Base Score: 3.6
Temporal Score: 2.7
Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N
CVSS v3
Risk Factor: High
Base Score: 7.1
Temporal Score: 6.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:dbus, cpe:/o:debian:debian_linux:9.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: No known exploits are available
Patch Publication Date: 6/13/2019
Vulnerability Publication Date: 6/11/2019
Reference Information
CVE: CVE-2019-12749
DSA: 4462