Sign-up

ID

VAR-201601-0163


CVE

CVE-2015-8612


TITLE

Blueman of plugins/mechanism/Network.py of Network class EnableNetwork Vulnerability gained in methods

Trust: 0.8

sources: JVNDB: JVNDB-2015-006769

DESCRIPTION

The EnableNetwork method in the Network class in plugins/mechanism/Network.py in Blueman before 2.0.3 allows local users to gain privileges via the dhcp_handler argument. Blueman is a Bluetooth manager. Blueman has a remote privilege escalation vulnerability. A remote attacker can exploit this vulnerability to gain elevated privileges. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] blueman (SSA:2015-356-01) New blueman packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/blueman-r708-i486-4_slack14.1.txz: Rebuilt. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8612 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/blueman-r708-i486-2_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/blueman-r708-x86_64-2_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/blueman-r708-i486-3_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/blueman-r708-x86_64-3_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/blueman-r708-i486-4_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/blueman-r708-x86_64-4_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/blueman-2.0.3-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/blueman-2.0.3-x86_64-1.txz MD5 signatures: +-------------+ Slackware 13.37 package: 65009da30d3cf60c32e561b0085ee1fd blueman-r708-i486-2_slack13.37.txz Slackware x86_64 13.37 package: a0e967b8857c9d71a9e1373d0c864d04 blueman-r708-x86_64-2_slack13.37.txz Slackware 14.0 package: 37fcc1290f1a07cfd310f0c0b289eccb blueman-r708-i486-3_slack14.0.txz Slackware x86_64 14.0 package: 62d2086a3ac4d71963722fd7583b275a blueman-r708-x86_64-3_slack14.0.txz Slackware 14.1 package: b974a87cad4f3b9521a1402c75e1b87e blueman-r708-i486-4_slack14.1.txz Slackware x86_64 14.1 package: d5b9c061018e190a7e770bee1ddc3601 blueman-r708-x86_64-4_slack14.1.txz Slackware -current package: 0a37e8f7294902a9315455a3d8ecd54f xap/blueman-2.0.3-i586-1.txz Slackware x86_64 -current package: be29b1d932617c1cec46c2e8042eb525 xap/blueman-2.0.3-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg blueman-r708-i486-4_slack14.1.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlZ6MT4ACgkQakRjwEAQIjO34QCgiChwEWhragkSkMoC0/fAEHJ1 ZfUAn1QkjpRtY9C0wRphVloQsV+TtrqT =KJB1 -----END PGP SIGNATURE-----

Trust: 2.52

sources: NVD: CVE-2015-8612 // JVNDB: JVNDB-2015-006769 // CNVD: CNVD-2015-08558 // BID: 79688 // PACKETSTORM: 135047

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-08558

AFFECTED PRODUCTS

vendor:bluemanmodel:bluemanscope:lteversion:2.0

Trust: 1.0

vendor:slackwaremodel:linux x86 64 -currentscope: - version: -

Trust: 0.9

vendor:bluemanmodel:bluemanscope:ltversion:2.0.3

Trust: 0.8

vendor:slackwaremodel:linuxscope:eqversion:13.7

Trust: 0.6

vendor:slackwaremodel:linux x86 64scope:eqversion:13.7

Trust: 0.6

vendor:slackwaremodel:linux currentscope: - version: -

Trust: 0.6

vendor:bluemanmodel:bluemanscope:eqversion:2.0

Trust: 0.6

vendor:slackwaremodel:linux x86 64scope:eqversion:13.37

Trust: 0.3

vendor:slackwaremodel:linuxscope:eqversion:13.37

Trust: 0.3

vendor:slackwaremodel:linux -currentscope: - version: -

Trust: 0.3

sources: CNVD: CNVD-2015-08558 // BID: 79688 // JVNDB: JVNDB-2015-006769 // CNNVD: CNNVD-201512-600 // NVD: CVE-2015-8612

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-8612
value: HIGH

Trust: 1.0

NVD: CVE-2015-8612
value: HIGH

Trust: 0.8

CNVD: CNVD-2015-08558
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201512-600
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2015-8612
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-08558
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2015-8612
baseSeverity: HIGH
baseScore: 8.4
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.5
impactScore: 5.9
version: 3.0

Trust: 1.0

sources: CNVD: CNVD-2015-08558 // JVNDB: JVNDB-2015-006769 // CNNVD: CNNVD-201512-600 // NVD: CVE-2015-8612

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.8

sources: JVNDB: JVNDB-2015-006769 // NVD: CVE-2015-8612

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201512-600

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201512-600

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-006769

PATCH
title:Release 2.0.3url:https://github.com/blueman-project/blueman/releases/tag/2.0.3
Trust: 0.8
title:Privilege escalation in blueman dbus API #416url:https://github.com/blueman-project/blueman/issues/416
Trust: 0.8
title:Blueman Remote Elevation of Privilege Patchurl:https://www.cnvd.org.cn/patchInfo/show/69396
Trust: 0.6
title:Blueman Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=59352
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-08558 // 
            
            
            
            JVNDB: JVNDB-2015-006769 // 
            
            
            
            CNNVD: CNNVD-201512-600

EXTERNAL IDS
db:NVDid:CVE-2015-8612
Trust: 3.4
db:BIDid:79688
Trust: 2.5
db:OPENWALLid:OSS-SECURITY/2015/12/18/6
Trust: 1.6
db:OPENWALLid:OSS-SECURITY/2015/12/19/1
Trust: 1.6
db:PACKETSTORMid:135047
Trust: 1.1
db:EXPLOIT-DBid:46186
Trust: 1.0
db:JVNDBid:JVNDB-2015-006769
Trust: 0.8
db:CNVDid:CNVD-2015-08558
Trust: 0.6
db:CNNVDid:CNNVD-201512-600
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-08558 // 
            
            
            
            BID: 79688 // 
            
            
            
            JVNDB: JVNDB-2015-006769 // 
            
            
            
            PACKETSTORM: 135047 // 
            
            
            
            CNNVD: CNNVD-201512-600 // 
            
            
            
            NVD: CVE-2015-8612

REFERENCES
url:http://www.securityfocus.com/bid/79688
Trust: 2.2
url:http://www.openwall.com/lists/oss-security/2015/12/19/1
Trust: 1.6
url:https://twitter.com/thegrugq/status/677809527882813440
Trust: 1.6
url:http://www.openwall.com/lists/oss-security/2015/12/18/6
Trust: 1.6
url:https://github.com/blueman-project/blueman/releases/tag/2.0.3
Trust: 1.6
url:https://github.com/blueman-project/blueman/issues/416
Trust: 1.6
url:http://www.debian.org/security/2015/dsa-3427
Trust: 1.6
url:https://www.exploit-db.com/exploits/46186/
Trust: 1.0
url:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.421085
Trust: 1.0
url:http://packetstormsecurity.com/files/135047/slackware-security-advisory-blueman-updates.html
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8612
Trust: 0.9
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-8612
Trust: 0.8
url:http://slackware.com
Trust: 0.1
url:http://osuosl.org)
Trust: 0.1
url:http://slackware.com/gpg-key
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-8612
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-08558 // 
            
            
            
            JVNDB: JVNDB-2015-006769 // 
            
            
            
            PACKETSTORM: 135047 // 
            
            
            
            CNNVD: CNNVD-201512-600 // 
            
            
            
            NVD: CVE-2015-8612

CREDITS
Salvatore Bonaccorso
Trust: 0.9
sources:
            
            
            BID: 79688 // 
            
            
            
            CNNVD: CNNVD-201512-600

SOURCES
db:CNVDid:CNVD-2015-08558
db:BIDid:79688
db:JVNDBid:JVNDB-2015-006769
db:PACKETSTORMid:135047
db:CNNVDid:CNNVD-201512-600
db:NVDid:CVE-2015-8612

LAST UPDATE DATE
2024-11-23T22:56:22.890000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-08558date:2015-12-31T00:00:00
db:BIDid:79688date:2015-12-25T00:00:00
db:JVNDBid:JVNDB-2015-006769date:2016-01-15T00:00:00
db:CNNVDid:CNNVD-201512-600date:2016-01-11T00:00:00
db:NVDid:CVE-2015-8612date:2024-11-21T02:38:48.920

SOURCES RELEASE DATE
db:CNVDid:CNVD-2015-08558date:2015-12-31T00:00:00
db:BIDid:79688date:2015-12-25T00:00:00
db:JVNDBid:JVNDB-2015-006769date:2016-01-15T00:00:00
db:PACKETSTORMid:135047date:2015-12-24T17:31:55
db:CNNVDid:CNNVD-201512-600date:2015-12-28T00:00:00
db:NVDid:CVE-2015-8612date:2016-01-08T19:59:16.350