Main Vulnerability Database Vulnerabilities #VU33502

Permissions, Privileges, and Access Controls in ldns - CVE-2014-3209

Published: November 16, 2014 / Updated: August 4, 2020

Vulnerability identifier: #VU33502

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2014-3209

CWE-ID: CWE-264

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: NLnet Labs

Affected software:
ldns

Detailed vulnerability description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

The ldns-keygen tool in ldns 1.6.x uses the current umask to set the privileges of the private key, which might allow local users to obtain the private key by reading the file.

How to mitigate CVE-2014-3209

Install update from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2014/05/03/2
http://www.openwall.com/lists/oss-security/2014/05/05/4
http://www.securityfocus.com/bid/67200
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746758
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=573

Permissions, Privileges, and Access Controls in ldns - CVE-2014-3209

Detailed vulnerability description

How to mitigate CVE-2014-3209

Sources

Please verify you're human