#VU18677 Race condition in gvfs - CVE-2019-12448


| Updated: 2019-06-13

Vulnerability identifier: #VU18677

Vulnerability risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-12448

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
gvfs
Client/Desktop applications / Other client software

Vendor: Gnome Development Team

Description

The vulnerability allows a remote attacker to overwrite or access sensitive information, or cause a denial of service (DoS) condition on a targeted system.

The vulnerability exists due to race conditions in the daemon/gvfsbackendadmin.c source code file because the admin backend does not implement the query_info_on_read/write functionality. A remote attacker can send a request with malicious input to the system and cause race condition that will allow to overwrite or access sensitive information or cause a DoS condition.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

As a temporary solution we recommend to install the software updates at the following link:

Vulnerable software versions

gvfs: 1.29.4 - 1.41.2

External links
https://gitlab.gnome.org/GNOME/gvfs/commit/5cd76d627f4d1982b6e77a0e271ef9301732d09e

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Red Hat Enterprise Linux 8 update for GNOME
Race condition in gvfs (Alpine package)
Fedora 29 update for gvfs
Fedora 30 update for gvfs
OpenSUSE Linux update for gvfs
OpenSUSE Linux update for gvfs