Sign-up

ID

VAR-201406-0114


CVE

CVE-2014-3431


TITLE

OS X Run on Symantec PGP Desktop and Encryption Desktop Professional Vulnerabilities in which restrictions on file operations can be bypassed

Trust: 0.8

sources: JVNDB: JVNDB-2014-003025

DESCRIPTION

Symantec PGP Desktop 10.x, and Encryption Desktop Professional 10.3.x before 10.3.2 MP2, on OS X uses world-writable permissions for temporary files, which allows local users to bypass intended restrictions on file reading, modification, creation, and permission changes via unspecified vectors. Symantec Encryption Desktop is prone to an insecure file-permissions vulnerability. An attacker can exploit this issue to gain unauthorized access to or create arbitrary files with elevated privileges. PGP Desktop can create, distribute and store encryption keys. Encryption Desktop Professional encrypts stored data as well as entire hard drives or hard drive partitions. The vulnerability is caused by the program using world write permission for temporary files

Trust: 1.98

sources: NVD: CVE-2014-3431 // JVNDB: JVNDB-2014-003025 // BID: 68077 // VULHUB: VHN-71371

AFFECTED PRODUCTS

vendor:symantecmodel:encryption desktopscope:eqversion:10.3.1

Trust: 1.6

vendor:symantecmodel:encryption desktopscope:eqversion:10.3.2

Trust: 1.6

vendor:symantecmodel:pgp desktopscope:eqversion:10.0.3

Trust: 1.6

vendor:symantecmodel:pgp desktopscope:eqversion:10.0.2

Trust: 1.6

vendor:symantecmodel:pgp desktopscope:eqversion:10.0.0

Trust: 1.6

vendor:symantecmodel:pgp desktopscope:eqversion:10.1.0

Trust: 1.6

vendor:symantecmodel:pgp desktopscope:eqversion:10.0.1

Trust: 1.6

vendor:symantecmodel:encryption desktopscope:eqversion:10.3.0

Trust: 1.6

vendor:symantecmodel:pgp desktopscope:eqversion:10.1.1

Trust: 1.6

vendor:symantecmodel:pgp desktopscope:eqversion:10.2.2

Trust: 1.0

vendor:symantecmodel:pgp desktopscope:eqversion:10.1.2

Trust: 1.0

vendor:symantecmodel:pgp desktopscope:eqversion:10.2.0

Trust: 1.0

vendor:symantecmodel:pgp desktopscope:eqversion:10.2.1

Trust: 1.0

vendor:symantecmodel:pgp desktopscope:eqversion:10.x

Trust: 0.8

vendor:symantecmodel:encryption desktopscope:ltversion:10.3.x

Trust: 0.8

vendor:symantecmodel:encryption desktopscope:eqversion:professional 10.3.2 mp2

Trust: 0.8

sources: JVNDB: JVNDB-2014-003025 // CNNVD: CNNVD-201406-469 // NVD: CVE-2014-3431

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-3431
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-3431
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201406-469
value: MEDIUM

Trust: 0.6

VULHUB: VHN-71371
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-3431
severity: MEDIUM
baseScore: 4.3
vectorString: AV:L/AC:L/AU:S/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-71371
severity: MEDIUM
baseScore: 4.3
vectorString: AV:L/AC:L/AU:S/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-71371 // JVNDB: JVNDB-2014-003025 // CNNVD: CNNVD-201406-469 // NVD: CVE-2014-3431

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-71371 // JVNDB: JVNDB-2014-003025 // NVD: CVE-2014-3431

THREAT TYPE

local

Trust: 0.9

sources: BID: 68077 // CNNVD: CNNVD-201406-469

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201406-469

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-003025

PATCH
title:SYM14-011url:http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140620_00
Trust: 0.8
title:SYM14-011url:http://www.symantec.com/ja/jp/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140620_00
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-003025

EXTERNAL IDS
db:NVDid:CVE-2014-3431
Trust: 2.8
db:BIDid:68077
Trust: 2.0
db:SECTRACKid:1030454
Trust: 1.1
db:SECUNIAid:59421
Trust: 1.1
db:JVNDBid:JVNDB-2014-003025
Trust: 0.8
db:CNNVDid:CNNVD-201406-469
Trust: 0.7
db:VULHUBid:VHN-71371
Trust: 0.1
sources:
            
            
            VULHUB: VHN-71371 // 
            
            
            
            BID: 68077 // 
            
            
            
            JVNDB: JVNDB-2014-003025 // 
            
            
            
            CNNVD: CNNVD-201406-469 // 
            
            
            
            NVD: CVE-2014-3431

REFERENCES
url:http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140620_00
Trust: 1.9
url:http://www.securityfocus.com/bid/68077
Trust: 1.7
url:http://www.securitytracker.com/id/1030454
Trust: 1.1
url:http://secunia.com/advisories/59421
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3431
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3431
Trust: 0.8
url:https://www.f-secure.com
Trust: 0.3
url:http://www.symantec.com/encryption-desktop-pro
Trust: 0.3
url:http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140620_00
Trust: 0.1
sources:
            
            
            VULHUB: VHN-71371 // 
            
            
            
            BID: 68077 // 
            
            
            
            JVNDB: JVNDB-2014-003025 // 
            
            
            
            CNNVD: CNNVD-201406-469 // 
            
            
            
            NVD: CVE-2014-3431

CREDITS
Aaron Sigel
Trust: 0.3
sources:
            
            
            BID: 68077

SOURCES
db:VULHUBid:VHN-71371
db:BIDid:68077
db:JVNDBid:JVNDB-2014-003025
db:CNNVDid:CNNVD-201406-469
db:NVDid:CVE-2014-3431

LAST UPDATE DATE
2024-11-23T22:46:06.232000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-71371date:2017-01-07T00:00:00
db:BIDid:68077date:2014-06-20T00:00:00
db:JVNDBid:JVNDB-2014-003025date:2014-06-24T00:00:00
db:CNNVDid:CNNVD-201406-469date:2014-06-23T00:00:00
db:NVDid:CVE-2014-3431date:2024-11-21T02:08:05.037

SOURCES RELEASE DATE
db:VULHUBid:VHN-71371date:2014-06-21T00:00:00
db:BIDid:68077date:2014-06-20T00:00:00
db:JVNDBid:JVNDB-2014-003025date:2014-06-24T00:00:00
db:CNNVDid:CNNVD-201406-469date:2014-06-23T00:00:00
db:NVDid:CVE-2014-3431date:2014-06-21T15:55:04.680