Vulnerabilities > CVE-2008-4311 - Configuration vulnerability in Freedesktop Dbus
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to receive_requested_reply.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_0_HAL-090205.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 39981 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39981 title openSUSE Security Update : hal (hal-501) NASL family SuSE Local Security Checks NASL id SUSE_11_1_DBUS-1-090204.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 40210 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40210 title openSUSE Security Update : dbus-1 (dbus-1-488) NASL family SuSE Local Security Checks NASL id SUSE_11_0_POLICYKIT-090203.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 39901 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39901 title openSUSE Security Update : PolicyKit (PolicyKit-494) NASL family Fedora Local Security Checks NASL id FEDORA_2008-10907.NASL description A system restart is required for this update to take effect. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 35047 published 2008-12-08 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35047 title Fedora 9 : dbus-1.2.6-1.fc9 (2008-10907) NASL family SuSE Local Security Checks NASL id SUSE_11_1_HAL-090205.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 40231 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40231 title openSUSE Security Update : hal (hal-501) NASL family SuSE Local Security Checks NASL id SUSE_11_DBUS-1-090402.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied. (CVE-2008-4311) The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. With the previous update wireless networking didn last seen 2020-06-01 modified 2020-06-02 plugin id 41382 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41382 title SuSE 11 Security Update : dbus (SAT Patch Number 726) NASL family SuSE Local Security Checks NASL id SUSE_11_1_DBUS-1-090402.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. With the previous update wireless networking didn last seen 2020-06-01 modified 2020-06-02 plugin id 40211 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40211 title openSUSE Security Update : dbus-1 (dbus-1-717) NASL family SuSE Local Security Checks NASL id SUSE_11_0_HAL-090313.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 39982 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39982 title openSUSE Security Update : hal (hal-620) NASL family SuSE Local Security Checks NASL id SUSE_11_0_BLUEZ-AUDIO-090417.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. The previous bluez update caused problems with the bluez passkey agent. This second update fixes this. last seen 2020-06-01 modified 2020-06-02 plugin id 39924 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39924 title openSUSE Security Update : bluez-audio (bluez-audio-802) NASL family SuSE Local Security Checks NASL id SUSE_BLUEZ-CUPS-6118.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 36016 published 2009-03-25 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36016 title openSUSE 10 Security Update : bluez-cups (bluez-cups-6118) NASL family SuSE Local Security Checks NASL id SUSE_HAL-6085.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 35956 published 2009-03-18 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35956 title openSUSE 10 Security Update : hal (hal-6085) NASL family SuSE Local Security Checks NASL id SUSE_HAL-6036.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied. (CVE-2008-4311) The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. Additionally a bug in hal that allowed users to crash the hal daemon has been fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 41520 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41520 title SuSE 10 Security Update : hal (ZYPP Patch Number 6036) NASL family SuSE Local Security Checks NASL id SUSE_11_1_CONSOLEKIT-090312.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 40163 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40163 title openSUSE Security Update : ConsoleKit (ConsoleKit-596) NASL family SuSE Local Security Checks NASL id SUSE_11_0_PACKAGEKIT-090204.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 39900 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39900 title openSUSE Security Update : PackageKit (PackageKit-495) NASL family SuSE Local Security Checks NASL id SUSE_11_0_HAL-090402.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services like hal break due to this setting and need an updated configuration as well. The dbus configuration in the previous hal update was incomplete so this is the second attempt to fix the problem. last seen 2020-06-01 modified 2020-06-02 plugin id 39983 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39983 title openSUSE Security Update : hal (hal-721) NASL family SuSE Local Security Checks NASL id SUSE_BLUEZ-AUDIO-6197.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. The previous bluez update caused problems with the bluez passkey agent. This second update fixes this. last seen 2020-06-01 modified 2020-06-02 plugin id 36200 published 2009-04-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36200 title openSUSE 10 Security Update : bluez-audio (bluez-audio-6197) NASL family SuSE Local Security Checks NASL id SUSE_11_1_POLICYKIT-090203.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 40181 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40181 title openSUSE Security Update : PolicyKit (PolicyKit-494) NASL family SuSE Local Security Checks NASL id SUSE_11_0_BLUEZ-AUDIO-090320.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 39923 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39923 title openSUSE Security Update : bluez-audio (bluez-audio-671) NASL family SuSE Local Security Checks NASL id SUSE_11_1_GNOME-PANEL-090408.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 40223 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40223 title openSUSE Security Update : gnome-panel (gnome-panel-753) NASL family SuSE Local Security Checks NASL id SUSE_11_0_CONSOLEKIT-090312.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 39877 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39877 title openSUSE Security Update : ConsoleKit (ConsoleKit-596) NASL family SuSE Local Security Checks NASL id SUSE_DBUS-1-5972.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 35955 published 2009-03-18 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35955 title openSUSE 10 Security Update : dbus-1 (dbus-1-5972) NASL family Fedora Local Security Checks NASL id FEDORA_2008-10733.NASL description A system restart is required for this update to take effect. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37165 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37165 title Fedora 10 : dbus-1.2.6-1.fc10 (2008-10733) NASL family SuSE Local Security Checks NASL id SUSE_DBUS-1-5969.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied. (CVE-2008-4311) The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 41500 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41500 title SuSE 10 Security Update : dbus (ZYPP Patch Number 5969) NASL family SuSE Local Security Checks NASL id SUSE_HAL-6037.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 35922 published 2009-03-13 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35922 title openSUSE 10 Security Update : hal (hal-6037) NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-750.NASL description 6 vulnerabilities were discovered for the dbus-1 and dbus-1-x11 packages in openSUSE versions 11.4, 12.1, and 12.2. last seen 2020-06-05 modified 2014-06-13 plugin id 74795 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74795 title openSUSE Security Update : dbus-1 / dbus-1-x11 (openSUSE-SU-2012:1418-1) NASL family SuSE Local Security Checks NASL id SUSE_11_0_DBUS-1-090129.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 39948 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39948 title openSUSE Security Update : dbus-1 (dbus-1-488) NASL family SuSE Local Security Checks NASL id SUSE_HAL-6098.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 35986 published 2009-03-22 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35986 title openSUSE 10 Security Update : hal (hal-6098) NASL family SuSE Local Security Checks NASL id SUSE_11_1_PACKAGEKIT-090203.NASL description The dbus package used a too permissive configuration. Therefore intended access control for some services was not applied (CVE-2008-4311). The new configuration denies access by default. Some dbus services may break due to this setting and need an updated configuration as well. last seen 2020-06-01 modified 2020-06-02 plugin id 40180 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40180 title openSUSE Security Update : PackageKit (PackageKit-495)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503532
- http://forums.fedoraforum.org/showthread.php?t=206797
- http://lists.freedesktop.org/archives/dbus/2008-December/010702.html
- http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00094.html
- http://secunia.com/advisories/33047
- http://secunia.com/advisories/33055
- http://secunia.com/advisories/34360
- http://secunia.com/advisories/34642
- http://www.securityfocus.com/bid/32674
- http://www.vupen.com/english/advisories/2008/3355
- https://bugs.freedesktop.org/show_bug.cgi?id=18229
- https://bugzilla.redhat.com/show_bug.cgi?id=474895
- https://exchange.xforce.ibmcloud.com/vulnerabilities/47138
- https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00436.html