#VU32484 Input validation error in dbus - CVE-2014-3637


| Updated: 2020-07-28

Vulnerability identifier: #VU32484

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-3637

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
dbus
Universal components / Libraries / Libraries used by multiple products

Vendor: Freedesktop.org

Description

The vulnerability allows local users to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.

Mitigation
Update to version 1.6.24.

Vulnerable software versions

dbus: 1.6.0 - 1.6.22

External links
https://advisories.mageia.org/MGASA-2014-0395.html
https://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html
https://secunia.com/advisories/61378
https://www.debian.org/security/2014/dsa-3026
https://www.mandriva.com/security/advisories?name=MDVSA-2015:176
https://www.openwall.com/lists/oss-security/2014/09/16/9
https://www.openwall.com/lists/oss-security/2019/06/24/13
https://www.openwall.com/lists/oss-security/2019/06/24/14
https://www.securitytracker.com/id/1030864
https://www.ubuntu.com/usn/USN-2352-1
https://bugs.freedesktop.org/show_bug.cgi?id=80559

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Fedora EPEL 7 update for mingw-dbus
Fedora 21 update for mingw-dbus
Gentoo update for D-Bus
Fedora 21 update for dbus
Input validation error in dbus (Alpine package)
Input validation error in Freedesktop dbus