Details of VAR-201208-0382

ID

VAR-201208-0382

CVE

CVE-2012-3449

TITLE

Open vSwitch Vulnerable to arbitrary file deletion

Trust: 0.8

sources: JVNDB: JVNDB-2012-003499

DESCRIPTION

Open vSwitch 1.4.2 uses world writable permissions for (1) /var/lib/openvswitch/pki/controllerca/incoming/ and (2) /var/lib/openvswitch/pki/switchca/incoming/, which allows local users to delete and overwrite arbitrary files. Note: This BID is being retired as a duplicate of BID 54789 (Debian 'openvswitch-pki' Package Multiple Insecure File Permissions Vulnerabilities). openvswitch-pki is prone to multiple insecure file-permission vulnerabilities. This may aid in further attacks. openvswitch-pki 1.4.2+git20120612-7 is vulnerable; other versions may be vulnerable. Open vSwitch (OVS) is a multi-layer virtual switch product based on open source technology (following the Apache2.0 license). It supports large-scale network automation, standard management interfaces and protocols, etc. through programming extensions. A vulnerability exists in Open vSwitch version 1.4.2 in /var/lib/openvswitch/pki/controllerca/incoming/ and /var/lib/openvswitch/pki/switchca/incoming/ due to the use of "Writable by everyone" "

Trust: 2.25

sources: NVD: CVE-2012-3449 // JVNDB: JVNDB-2012-003499 // BID: 54794 // BID: 54789 // VULHUB: VHN-56730

AFFECTED PRODUCTS

vendor:	openvswitch	model:	openvswitch	scope:	eq	version:	1.4.2	Trust: 1.6
vendor:	open vswitch	model:	open vswitch	scope:	eq	version:	1.4.2	Trust: 0.8
vendor:	debian	model:	openvswitch-pki 1.4.2+git20120612-7	scope:	-	version:	-	Trust: 0.3
vendor:	debian	model:	openvswitch-pki 1.4.2+git20120612-8	scope:	ne	version:	-	Trust: 0.3

sources: BID: 54789 // JVNDB: JVNDB-2012-003499 // CNNVD: CNNVD-201208-055 // NVD: CVE-2012-3449

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2012-3449
value:	LOW
Trust: 1.0
NVD:	CVE-2012-3449
value:	LOW
Trust: 0.8
CNNVD:	CNNVD-201208-055
value:	LOW
Trust: 0.6
VULHUB:	VHN-56730
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2012-3449
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:N/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-56730
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:N/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-56730 // JVNDB: JVNDB-2012-003499 // CNNVD: CNNVD-201208-055 // NVD: CVE-2012-3449

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-56730 // JVNDB: JVNDB-2012-003499 // NVD: CVE-2012-3449

THREAT TYPE

local

Trust: 1.2

sources: BID: 54794 // BID: 54789 // CNNVD: CNNVD-201208-055

TYPE

Design Error

Trust: 0.6

sources: BID: 54794 // BID: 54789

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-003499

PATCH

title:	openvswitch-pki: creates world writable directories: /var/lib/openvswitch/pki/*ca/incoming/	url:	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683665	Trust: 0.8
title:	Top Page	url:	http://openvswitch.org/	Trust: 0.8
title:	Bug 845350	url:	https://bugzilla.redhat.com/show_bug.cgi?id=845350	Trust: 0.8

sources: JVNDB: JVNDB-2012-003499

EXTERNAL IDS

db:	NVD	id:	CVE-2012-3449	Trust: 3.1
db:	BID	id:	54794	Trust: 2.0
db:	BID	id:	54789	Trust: 2.0
db:	OPENWALL	id:	OSS-SECURITY/2012/08/03/6	Trust: 1.7
db:	OPENWALL	id:	OSS-SECURITY/2012/08/02/6	Trust: 1.7
db:	JVNDB	id:	JVNDB-2012-003499	Trust: 0.8
db:	CNNVD	id:	CNNVD-201208-055	Trust: 0.7
db:	XF	id:	77417	Trust: 0.6
db:	MLIST	id:	[OSS-SECURITY] 20120803 RE: OPENVSWITCH WORLD WRITABLE DIRECTORIES (CVE-2012-3449)	Trust: 0.6
db:	MLIST	id:	[OSS-SECURITY] 20120802 OPENVSWITCH WORLD WRITABLE DIRECTORIES (CVE-2012-3449)	Trust: 0.6
db:	VULHUB	id:	VHN-56730	Trust: 0.1

sources: VULHUB: VHN-56730 // BID: 54794 // BID: 54789 // JVNDB: JVNDB-2012-003499 // CNNVD: CNNVD-201208-055 // NVD: CVE-2012-3449

REFERENCES

url:	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683665	Trust: 2.0
url:	https://bugzilla.redhat.com/show_bug.cgi?id=845350	Trust: 2.0
url:	http://www.securityfocus.com/bid/54789	Trust: 1.7
url:	http://www.securityfocus.com/bid/54794	Trust: 1.7
url:	http://www.openwall.com/lists/oss-security/2012/08/02/6	Trust: 1.7
url:	http://www.openwall.com/lists/oss-security/2012/08/03/6	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/77417	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-3449	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-3449	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/77417	Trust: 0.6
url:	http://www.debian.org/	Trust: 0.3
url:	http://packages.debian.org/sid/openvswitch-pki	Trust: 0.3

sources: VULHUB: VHN-56730 // BID: 54789 // JVNDB: JVNDB-2012-003499 // CNNVD: CNNVD-201208-055 // NVD: CVE-2012-3449

CREDITS

Andreas Beckmann

Trust: 0.6

sources: BID: 54794 // BID: 54789

SOURCES

db:	VULHUB	id:	VHN-56730
db:	BID	id:	54794
db:	BID	id:	54789
db:	JVNDB	id:	JVNDB-2012-003499
db:	CNNVD	id:	CNNVD-201208-055
db:	NVD	id:	CVE-2012-3449

LAST UPDATE DATE

2024-11-23T22:27:31.842000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-56730	date:	2017-08-29T00:00:00
db:	BID	id:	54794	date:	2012-11-09T10:30:00
db:	BID	id:	54789	date:	2015-04-13T21:17:00
db:	JVNDB	id:	JVNDB-2012-003499	date:	2012-08-09T00:00:00
db:	CNNVD	id:	CNNVD-201208-055	date:	2012-08-08T00:00:00
db:	NVD	id:	CVE-2012-3449	date:	2024-11-21T01:40:54.010

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-56730	date:	2012-08-07T00:00:00
db:	BID	id:	54794	date:	2012-08-02T00:00:00
db:	BID	id:	54789	date:	2012-08-02T00:00:00
db:	JVNDB	id:	JVNDB-2012-003499	date:	2012-08-09T00:00:00
db:	CNNVD	id:	CNNVD-201208-055	date:	2012-08-08T00:00:00
db:	NVD	id:	CVE-2012-3449	date:	2012-08-07T20:55:03.780