RVD icon indicating copy to clipboard operation
RVD copied to clipboard

Published 20 hours ago verified publisher icon aliasrobotics

RVD#1482: The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules

Open mikekaram opened this issue 5 years ago • 1 comments 

{
    "id": 1482,
    "title": "RVD#1482: The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules",
    "type": "vulnerability",
    "description": "The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an \"ifconfig /usbserial up\" command or a \"mount -t /snd_pcm none /\" command.",
    "cwe": "CWE-20",
    "cve": "CVE-2014-9645",
    "keywords": [
        "Universal Robots",
        "manipulation",
        "cobot",
        "CB 3.x"
    ],
    "system": "Universal Robots Robot Controllers CB 3.x",
    "vendor": "Universal Robots",
    "severity": {
        "rvss-score": 5.6,
        "rvss-vector": "RVSS:1.0/AV:IN/AC:L/PR:L/UI:N/Y:M/S:U/C:N/I:H/A:N/H:U",
        "severity-description": "Medium",
        "cvss-score": 5.5,
        "cvss-vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
    },
    "links": [
        "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9645",
        "https://github.com/aliasrobotics/RVD/issues/1482"
    ],
    "flaw": {
        "phase": "runtime-operation",
        "specificity": "N/A",
        "architectural-location": "internal",
        "application": "busybox",
        "subsystem": "N/A",
        "package": "busybox 1:1.20.0-7 i386",
        "languages": "C",
        "date-detected": null,
        "detected-by": "Victor Mayoral Vilches and Lander Usategui San Juan (Alias Robotics)",
        "detected-by-method": "N/A",
        "date-reported": "2020-04-03",
        "reported-by": "Alias Robotics S.L.",
        "reported-by-relationship": "security researcher",
        "issue": "https://github.com/aliasrobotics/RVD/issues/1482",
        "reproducibility": "always",
        "trace": "N/A",
        "reproduction": "N/A",
        "reproduction-image": "N/A"
    },
    "exploitation": {
        "description": "User installs malicious kernel module by running \"ifconfig /mymaliciousmodule up\"",
        "exploitation-image": "Not available",
        "exploitation-vector": "Not available"
    },
    "mitigation": {
        "description": "sudo apt-get --assume-yes install --only-upgrade busybox",
        "pull-request": null,
        "date-mitigation": null
    }
}

mikekaram avatar Apr 03 '20 12:04 mikekaram

Change the title please.

LanderU avatar Apr 03 '20 12:04 LanderU