Vulnerability Details : CVE-2014-8156
The D-Bus security policy files in /etc/dbus-1/system.d/*.conf in fso-gsmd 0.12.0-3, fso-frameworkd 0.9.5.9+git20110512-4, and fso-usaged 0.12.0-2 as packaged in Debian, the upstream cornucopia.git (fsoaudiod, fsodatad, fsodeviced, fsogsmd, fsonetworkd, fsotdld, fsousaged) git master on 2015-01-19, the upstream framework.git 0.10.1 and git master on 2015-01-19, phonefsod 0.1+git20121018-1 as packaged in Debian, Ubuntu and potentially other packages, and potentially other fso modules do not properly filter D-Bus message paths, which might allow local users to cause a denial of service (dbus-daemon memory consumption), or execute arbitrary code as root by sending a crafted D-Bus message to any D-Bus system service.
Vulnerability category: Execute codeDenial of service
Products affected by CVE-2014-8156
- cpe:2.3:a:fso-frameworkd_project:fso-frameworkd:0.9.5.9:*:*:*:*:*:*:*When used together with: Debian » Debian Linux
- cpe:2.3:a:fso-gsmd_project:fso-gsmd:0.12.0-3:*:*:*:*:*:*:*When used together with: Debian » Debian Linux
- cpe:2.3:a:fso-usaged_project:fso-usaged:0.12.0-2:*:*:*:*:*:*:*When used together with: Debian » Debian Linux
- cpe:2.3:a:phonefsod_project:phonefsod:0.1:*:*:*:*:*:*:*When used together with: Debian » Debian Linux
Exploit prediction scoring system (EPSS) score for CVE-2014-8156
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 8 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-8156
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2014-8156
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8156
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/100488
freesmartphone.org (fso) stack denial of service CVE-2014-8156 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/72363
freesmartphone.org CVE-2014-8156 Local Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2015/01/27/25
oss-security - CVE-2014-8156: freesmartphone.org stack configures D-Bus system bus to be insecureMailing List;Third Party Advisory
Jump to