Vulnerability   
Search   
    Search 211766 CVE descriptions
and 97459 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.703266
Category:Debian Local Security Checks
Title:Debian Security Advisory DSA 3266-1 (fuse - security update)
Summary:Tavis Ormandy discovered that FUSE, a Filesystem in USErspace, does not;scrub the environment before executing mount or umount with elevated;privileges. A local user can take advantage of this flaw to overwrite;arbitrary files and gain elevated privileges by accessing debugging;features via the environment that would not normally be safe for;unprivileged users.
Description:Summary:
Tavis Ormandy discovered that FUSE, a Filesystem in USErspace, does not
scrub the environment before executing mount or umount with elevated
privileges. A local user can take advantage of this flaw to overwrite
arbitrary files and gain elevated privileges by accessing debugging
features via the environment that would not normally be safe for
unprivileged users.

Affected Software/OS:
fuse on Debian Linux

Solution:
For the oldstable distribution (wheezy), this problem has been fixed
in version 2.9.0-2+deb7u2.

For the stable distribution (jessie), this problem has been fixed in
version 2.9.3-15+deb8u1.

For the testing distribution (stretch) and the unstable distribution
(sid), this problem will be fixed soon.

We recommend that you upgrade your fuse packages.

CVSS Score:
3.6

CVSS Vector:
AV:L/AC:L/Au:N/C:N/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2015-3202
BugTraq ID: 74765
http://www.securityfocus.com/bid/74765
Debian Security Information: DSA-3266 (Google Search)
http://www.debian.org/security/2015/dsa-3266
Debian Security Information: DSA-3268 (Google Search)
http://www.debian.org/security/2015/dsa-3268
https://www.exploit-db.com/exploits/37089/
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159831.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159683.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159543.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159298.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160106.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160094.html
https://security.gentoo.org/glsa/201603-04
https://security.gentoo.org/glsa/201701-19
http://packetstormsecurity.com/files/132021/Fuse-Local-Privilege-Escalation.html
https://gist.github.com/taviso/ecb70eb12d461dd85cba
https://twitter.com/taviso/status/601370527437967360
http://www.openwall.com/lists/oss-security/2015/05/21/9
http://www.securitytracker.com/id/1032386
SuSE Security Announcement: openSUSE-SU-2015:0997 (Google Search)
http://lists.opensuse.org/opensuse-updates/2015-06/msg00005.html
SuSE Security Announcement: openSUSE-SU-2015:1003 (Google Search)
http://lists.opensuse.org/opensuse-updates/2015-06/msg00007.html
http://www.ubuntu.com/usn/USN-2617-1
http://www.ubuntu.com/usn/USN-2617-2
http://www.ubuntu.com/usn/USN-2617-3
CopyrightCopyright (c) 2015 Greenbone Networks GmbH http://greenbone.net

This is only one of 97459 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2021 E-Soft Inc. All rights reserved.