CVE-2015-3202 - OpenCVE

fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Fuse Project	Fuse
Debian	Debian Linux

Configuration 1 [-]

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:fuse_project:fuse:*:*:*:*:*:*:*:*

References

Link	Resource
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159298.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159543.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159683.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159831.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160094.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160106.html
http://lists.opensuse.org/opensuse-updates/2015-06/msg00005.html
http://lists.opensuse.org/opensuse-updates/2015-06/msg00007.html
http://packetstormsecurity.com/files/132021/Fuse-Local-Privilege-Escalation.html
http://www.debian.org/security/2015/dsa-3266
http://www.debian.org/security/2015/dsa-3268
http://www.openwall.com/lists/oss-security/2015/05/21/9	Exploit
http://www.securityfocus.com/bid/74765
http://www.securitytracker.com/id/1032386
http://www.ubuntu.com/usn/USN-2617-1
http://www.ubuntu.com/usn/USN-2617-2
http://www.ubuntu.com/usn/USN-2617-3
https://gist.github.com/taviso/ecb70eb12d461dd85cba	Exploit
https://security.gentoo.org/glsa/201603-04
https://security.gentoo.org/glsa/201701-19
https://twitter.com/taviso/status/601370527437967360
https://www.exploit-db.com/exploits/37089/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2015-07-02T21:16:00

Updated: 2017-06-30T16:57:01

Reserved: 2015-04-10T00:00:00

Link: CVE-2015-3202

JSON object: View

NVD Information

Status : Modified

Published: 2015-07-02T21:59:03.143

Modified: 2017-07-01T01:29:15.797

Link: CVE-2015-3202

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-05-21T00:00:00", "descriptions": [{"lang": "en", "value": "fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-06-30T16:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "DSA-3268", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3268"}, {"name": "USN-2617-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2617-1"}, {"name": "FEDORA-2015-8771", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159543.html"}, {"name": "FEDORA-2015-8782", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160094.html"}, {"name": "FEDORA-2015-8751", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159831.html"}, {"name": "1032386", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1032386"}, {"tags": ["x_refsource_MISC"], "url": "https://gist.github.com/taviso/ecb70eb12d461dd85cba"}, {"name": "74765", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/74765"}, {"name": "FEDORA-2015-8773", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159298.html"}, {"name": "openSUSE-SU-2015:1003", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-06/msg00007.html"}, {"name": "DSA-3266", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3266"}, {"name": "GLSA-201603-04", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201603-04"}, {"name": "USN-2617-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2617-2"}, {"name": "FEDORA-2015-8777", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160106.html"}, {"name": "FEDORA-2015-8756", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159683.html"}, {"name": "GLSA-201701-19", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201701-19"}, {"name": "[oss-security] 20150521 CVE-2015-3202 fuse privilege escalation", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/05/21/9"}, {"name": "openSUSE-SU-2015:0997", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-06/msg00005.html"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/132021/Fuse-Local-Privilege-Escalation.html"}, {"tags": ["x_refsource_MISC"], "url": "https://twitter.com/taviso/status/601370527437967360"}, {"name": "37089", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/37089/"}, {"name": "USN-2617-3", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2617-3"}]}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-3202", "datePublished": "2015-07-02T21:16:00", "dateReserved": "2015-04-10T00:00:00", "dateUpdated": "2017-06-30T16:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fuse_project:fuse:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C4B0DBD-CA99-41CD-BB36-C700296D5DA3", "versionEndIncluding": "2.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature."}, {"lang": "es", "value": "fusermount en FUSE anterior a 2.9.3-15 no limpia correctamente el entorno antes de llamar a (1) mount o (2) umount como root, lo que permite a usuarios locales escribir en ficheros arbitrarios a trav\u00e9s de una variable de entorno LIBMOUNT_MTAB manipulada que es utilizada por la caracter\u00edstica de depuraci\u00f3n de mount."}], "id": "CVE-2015-3202", "lastModified": "2017-07-01T01:29:15.797", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-07-02T21:59:03.143", "references": [{"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159298.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159543.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159683.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159831.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160094.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160106.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2015-06/msg00005.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2015-06/msg00007.html"}, {"source": "secalert@redhat.com", "url": "http://packetstormsecurity.com/files/132021/Fuse-Local-Privilege-Escalation.html"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2015/dsa-3266"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2015/dsa-3268"}, {"source": "secalert@redhat.com", "tags": ["Exploit"], "url": "http://www.openwall.com/lists/oss-security/2015/05/21/9"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/74765"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1032386"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2617-1"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2617-2"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2617-3"}, {"source": "secalert@redhat.com", "tags": ["Exploit"], "url": "https://gist.github.com/taviso/ecb70eb12d461dd85cba"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/201603-04"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/201701-19"}, {"source": "secalert@redhat.com", "url": "https://twitter.com/taviso/status/601370527437967360"}, {"source": "secalert@redhat.com", "url": "https://www.exploit-db.com/exploits/37089/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}