Vulnerability Details : CVE-2014-3209
The ldns-keygen tool in ldns 1.6.x uses the current umask to set the privileges of the private key, which might allow local users to obtain the private key by reading the file.
Products affected by CVE-2014-3209
- cpe:2.3:a:nlnetlabs:ldns:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:nlnetlabs:ldns:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:nlnetlabs:ldns:1.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:nlnetlabs:ldns:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:nlnetlabs:ldns:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:nlnetlabs:ldns:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:nlnetlabs:ldns:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:nlnetlabs:ldns:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:nlnetlabs:ldns:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:nlnetlabs:ldns:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:nlnetlabs:ldns:1.6.11:*:*:*:*:*:*:*
- cpe:2.3:a:nlnetlabs:ldns:1.6.10:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3209
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3209
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2014-3209
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3209
-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746758
#746758 - ldnsutils: CVE-2014-3209: ldns-keygen creates private key world readable - Debian Bug report logs
-
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=573
Bug 573 – CVE-2014-3209: ldns-keygen should create private key files with stricter permissions
-
http://www.openwall.com/lists/oss-security/2014/05/03/2
oss-security - ldns-keygen creates private key world readable
-
http://www.openwall.com/lists/oss-security/2014/05/05/4
oss-security - Re: ldns-keygen creates private key world readable
-
http://www.securityfocus.com/bid/67200
ldns CVE-2014-3209 Local Insecure File Permissions Vulnerability
Jump to