CVE-2009-0365 - OpenCVE

nm-applet.conf in GNOME NetworkManager before 0.7.0.99 contains an incorrect deny setting, which allows local users to discover (1) network connection passwords and (2) pre-shared keys via calls to the GetSecrets method in the dbus request handler.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:S/C:C/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ubuntu	Ubuntu Linux

Configuration 1 [-]

OR	cpe:2.3:o:ubuntu:ubuntu_linux:6.06:-:lts:::::*
	cpe:2.3:o:ubuntu:ubuntu_linux:7.10:::::::*
	cpe:2.3:o:ubuntu:ubuntu_linux:8.04:-:lts:::::*
	cpe:2.3:o:ubuntu:ubuntu_linux:8.10:::::::*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
http://secunia.com/advisories/34067
http://secunia.com/advisories/34177
http://secunia.com/advisories/34473
http://securitytracker.com/id?1021910
http://securitytracker.com/id?1021911
http://svn.gnome.org/viewvc/network-manager-applet/trunk/nm-applet.conf?r1=1133&r2=1207&pathrev=1207
http://svn.gnome.org/viewvc/network-manager-applet?view=revision&revision=1207
http://www.debian.org/security/2009/dsa-1955
http://www.redhat.com/support/errata/RHSA-2009-0361.html
http://www.redhat.com/support/errata/RHSA-2009-0362.html
http://www.securityfocus.com/bid/33966	Patch
http://www.securitytracker.com/id?1021908
http://www.ubuntu.com/usn/USN-727-1	Vendor Advisory
http://www.ubuntu.com/usn/USN-727-2	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=487722
https://bugzilla.redhat.com/show_bug.cgi?id=487752
https://exchange.xforce.ibmcloud.com/vulnerabilities/49062
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10828

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2009-03-05T02:00:00

Updated: 2017-09-28T12:57:01

Reserved: 2009-01-29T00:00:00

Link: CVE-2009-0365

JSON object: View

NVD Information

Status : Modified

Published: 2009-03-05T02:30:00.313

Modified: 2017-09-29T01:33:46.497

Link: CVE-2009-0365

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-03-03T00:00:00", "descriptions": [{"lang": "en", "value": "nm-applet.conf in GNOME NetworkManager before 0.7.0.99 contains an incorrect deny setting, which allows local users to discover (1) network connection passwords and (2) pre-shared keys via calls to the GetSecrets method in the dbus request handler."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "1021910", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1021910"}, {"name": "USN-727-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-727-1"}, {"name": "USN-727-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-727-2"}, {"name": "networkmanager-dbus-info-disclosure(49062)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49062"}, {"name": "1021908", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1021908"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://svn.gnome.org/viewvc/network-manager-applet?view=revision&revision=1207"}, {"name": "33966", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/33966"}, {"name": "1021911", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1021911"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=487722"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://svn.gnome.org/viewvc/network-manager-applet/trunk/nm-applet.conf?r1=1133&r2=1207&pathrev=1207"}, {"name": "oval:org.mitre.oval:def:10828", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10828"}, {"name": "34067", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/34067"}, {"name": "RHSA-2009:0362", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://www.redhat.com/support/errata/RHSA-2009-0362.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=487752"}, {"name": "DSA-1955", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2009/dsa-1955"}, {"name": "SUSE-SR:2009:009", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html"}, {"name": "SUSE-SA:2009:013", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00003.html"}, {"name": "RHSA-2009:0361", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://www.redhat.com/support/errata/RHSA-2009-0361.html"}, {"name": "34177", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/34177"}, {"name": "34473", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/34473"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-0365", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "nm-applet.conf in GNOME NetworkManager before 0.7.0.99 contains an incorrect deny setting, which allows local users to discover (1) network connection passwords and (2) pre-shared keys via calls to the GetSecrets method in the dbus request handler."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1021910", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1021910"}, {"name": "USN-727-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-727-1"}, {"name": "USN-727-2", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-727-2"}, {"name": "networkmanager-dbus-info-disclosure(49062)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49062"}, {"name": "1021908", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1021908"}, {"name": "http://svn.gnome.org/viewvc/network-manager-applet?view=revision&revision=1207", "refsource": "CONFIRM", "url": "http://svn.gnome.org/viewvc/network-manager-applet?view=revision&revision=1207"}, {"name": "33966", "refsource": "BID", "url": "http://www.securityfocus.com/bid/33966"}, {"name": "1021911", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1021911"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=487722", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=487722"}, {"name": "http://svn.gnome.org/viewvc/network-manager-applet/trunk/nm-applet.conf?r1=1133&r2=1207&pathrev=1207", "refsource": "CONFIRM", "url": "http://svn.gnome.org/viewvc/network-manager-applet/trunk/nm-applet.conf?r1=1133&r2=1207&pathrev=1207"}, {"name": "oval:org.mitre.oval:def:10828", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10828"}, {"name": "34067", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34067"}, {"name": "RHSA-2009:0362", "refsource": "REDHAT", "url": "http://www.redhat.com/support/errata/RHSA-2009-0362.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=487752", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=487752"}, {"name": "DSA-1955", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2009/dsa-1955"}, {"name": "SUSE-SR:2009:009", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html"}, {"name": "SUSE-SA:2009:013", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00003.html"}, {"name": "RHSA-2009:0361", "refsource": "REDHAT", "url": "http://www.redhat.com/support/errata/RHSA-2009-0361.html"}, {"name": "34177", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34177"}, {"name": "34473", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34473"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-0365", "datePublished": "2009-03-05T02:00:00", "dateReserved": "2009-01-29T00:00:00", "dateUpdated": "2017-09-28T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ubuntu:ubuntu_linux:6.06:-:lts:*:*:*:*:*", "matchCriteriaId": "678EC327-EAC6-4923-9987-A9B78111B5C4", "vulnerable": true}, {"criteria": "cpe:2.3:o:ubuntu:ubuntu_linux:7.10:*:*:*:*:*:*:*", "matchCriteriaId": "06FD8602-7069-41C6-B65C-84928EDCE2D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:ubuntu:ubuntu_linux:8.04:-:lts:*:*:*:*:*", "matchCriteriaId": "12DD761F-EA6F-4139-94ED-94EBC0F6A87D", "vulnerable": true}, {"criteria": "cpe:2.3:o:ubuntu:ubuntu_linux:8.10:*:*:*:*:*:*:*", "matchCriteriaId": "ED67B852-4B37-4B79-8F4D-23B2FEACA4ED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "nm-applet.conf in GNOME NetworkManager before 0.7.0.99 contains an incorrect deny setting, which allows local users to discover (1) network connection passwords and (2) pre-shared keys via calls to the GetSecrets method in the dbus request handler."}, {"lang": "es", "value": "El manipulador de peticiones dbus en (1) network-manager-applet y (2) NetworkManager en Ubuntu v6.06 LTS, v7.10, v8.04 LTS, and v8.10 no verifica adecuadamente los privilegios, lo que permite a usuarios locales descubrir (a)las contrase\u00f1as de la conexi\u00f3n de red y (b)Las claves pre-compartidas a trav\u00e9s de peticiones sin especificar."}], "id": "CVE-2009-0365", "lastModified": "2017-09-29T01:33:46.497", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.6, "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:C/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-03-05T02:30:00.313", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00003.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/34067"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/34177"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/34473"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1021910"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1021911"}, {"source": "cve@mitre.org", "url": "http://svn.gnome.org/viewvc/network-manager-applet/trunk/nm-applet.conf?r1=1133&r2=1207&pathrev=1207"}, {"source": "cve@mitre.org", "url": "http://svn.gnome.org/viewvc/network-manager-applet?view=revision&revision=1207"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2009/dsa-1955"}, {"source": "cve@mitre.org", "url": "http://www.redhat.com/support/errata/RHSA-2009-0361.html"}, {"source": "cve@mitre.org", "url": "http://www.redhat.com/support/errata/RHSA-2009-0362.html"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/33966"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id?1021908"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.ubuntu.com/usn/USN-727-1"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.ubuntu.com/usn/USN-727-2"}, {"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=487722"}, {"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=487752"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49062"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10828"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}