A vulnerability classified as critical has been found in Google Tunnelblick 3.3beta20. Affected is the function runScript. The manipulation with an unknown input leads to a race condition vulnerability. CWE is classifying the issue as CWE-362. The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Race condition in the runScript function in Tunnelblick 3.3beta20 and earlier allows local users to gain privileges by replacing a script file.

The weakness was shared 08/26/2012 (oss-sec). The advisory is shared for download at openwall.com. This vulnerability is traded as CVE-2012-3483 since 06/14/2012. The exploitability is told to be difficult. The attack needs to be approached locally. The exploitation doesn't require any form of authentication. Technical details and a public exploit are known.

The exploit is shared for download at exploit-db.com. It is declared as proof-of-concept.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at Exploit-DB (20417). The entries VDB-61889, VDB-61888, VDB-61887 and VDB-61886 are related to this item. VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Vendor

• Google

Name

• Tunnelblick

Version

• 3.3beta20

License

• free

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion