D-Bus up to 1.8.6 allocation of file descriptors or handles without limits or throttling
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.8 | $0-$5k | 0.00 |
Summary
A vulnerability classified as problematic has been found in D-Bus. The impacted element is an unknown function. The manipulation leads to allocation of file descriptors or handles without limits or throttling. This vulnerability is documented as CVE-2014-3639. There is not any exploit available. It is recommended to upgrade the affected component.
Details
A vulnerability was found in D-Bus. It has been rated as problematic. This issue affects some unknown processing. The manipulation with an unknown input leads to a allocation of file descriptors or handles without limits or throttling vulnerability. Using CWE to declare the problem leads to CWE-774. The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor. Impacted is availability. The summary by CVE is:
The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.
The weakness was released 09/22/2014 (Website). The advisory is shared at bugs.freedesktop.org. The identification of this vulnerability is CVE-2014-3639 since 05/14/2014. The exploitation is known to be easy. An attack has to be approached locally. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available.
The vulnerability scanner Nessus provides a plugin with the ID 77716 (Debian DSA-3026-1 : dbus - security update), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Debian Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 124841 (Solaris 11.3 Support Repository Update (SRU) 6.5.0 Missing).
Upgrading to version 1.8.0 eliminates this vulnerability.
The vulnerability is also documented in the databases at X-Force (96010), Tenable (77716), SecurityFocus (BID 69832†), Secunia (SA61378†) and Vulnerability Center (SBV-46273†). Entries connected to this vulnerability are available at VDB-70401, VDB-70400, VDB-71440 and VDB-71439. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.0VulDB Meta Temp Score: 3.8
VulDB Base Score: 4.0
VulDB Temp Score: 3.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Allocation of file descriptors or handles without limits or throttlingCWE: CWE-774
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 77716
Nessus Name: Debian DSA-3026-1 : dbus - security update
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 703026
OpenVAS Name: Debian Security Advisory DSA 3026-1 (dbus - security update)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: D-Bus 1.8.0
Timeline
05/14/2014 🔍09/17/2014 🔍
09/22/2014 🔍
09/22/2014 🔍
09/28/2014 🔍
03/26/2015 🔍
03/29/2022 🔍
Sources
Advisory: USN-2352-1Status: Not defined
Confirmation: 🔍
CVE: CVE-2014-3639 (🔍)
GCVE (CVE): GCVE-0-2014-3639
GCVE (VulDB): GCVE-100-71441
OVAL: 🔍
X-Force: 96010
SecurityFocus: 69832
Secunia: 61378
SecurityTracker: 1030864
Vulnerability Center: 46273 - D-Bus before 1.6.24 and 1.8.x before 1.8.8 Local DoS via Incomplete Connections - CVE-2014-3639, Low
See also: 🔍
Entry
Created: 03/26/2015 16:14Updated: 03/29/2022 10:23
Changes: 03/26/2015 16:14 (65), 06/07/2017 11:07 (3), 03/29/2022 10:17 (4), 03/29/2022 10:23 (1)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.