fkie_nvd - fkie_cve-2018-16262

fkie_cve-2018-16262

Vulnerability from fkie_nvd

Published

2020-01-22 13:15

Modified

2024-11-21 03:52

Severity ?

8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

The pkgmgr system service in Tizen allows an unprivileged process to perform package management actions, due to improper D-Bus security policy configurations. Such actions include installing, decrypting, and killing other packages. This affects Tizen before 5.0 M1, and Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.

References

URL	Tags
cve@mitre.org	https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Dongsung%20Kim%20and%20Hyoung%20Kee%20Choi%20-%20Updated/DEFCON-26-Dongsung-Kim-and-Hyoung-Kee-Choi-Your-Watch-Can-Watch-You-Updated.pdf	Third Party Advisory
cve@mitre.org	https://review.tizen.org/git/?p=platform/core/appfw/pkgmgr-server.git%3Ba=commit%3Bh=aac8a95859828a058d8e06893982b11ebc81dd78
cve@mitre.org	https://www.youtube.com/watch?v=3IdgBwbOT-g&feature=youtu.be	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Dongsung%20Kim%20and%20Hyoung%20Kee%20Choi%20-%20Updated/DEFCON-26-Dongsung-Kim-and-Hyoung-Kee-Choi-Your-Watch-Can-Watch-You-Updated.pdf	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://review.tizen.org/git/?p=platform/core/appfw/pkgmgr-server.git%3Ba=commit%3Bh=aac8a95859828a058d8e06893982b11ebc81dd78
af854a3a-2127-422b-91ae-364da2661108	https://www.youtube.com/watch?v=3IdgBwbOT-g&feature=youtu.be	Third Party Advisory

Impacted products

Vendor	Product	Version
linux	tizen	1.0
linux	tizen	1.0
linux	tizen	2.0
linux	tizen	2.1
linux	tizen	2.2
linux	tizen	2.2.1
linux	tizen	2.3
linux	tizen	2.3.1
linux	tizen	2.4
linux	tizen	3.0
linux	tizen	3.0
linux	tizen	3.0
linux	tizen	4.0
linux	tizen	4.0
linux	tizen	4.0
linux	tizen	5.0
samsung	galaxy_gear	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:tizen:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2CE14F41-1DA4-4FB3-AC1E-53B38CE81A13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:1.0:m1:*:*:*:*:*:*",
              "matchCriteriaId": "20D9C36E-A873-46A7-A8BA-4A5E0A4BCCA7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "394C885B-4641-4AE1-913F-1DE2707897DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C67EE22-0987-4CB5-82C6-18D2AB6D8691",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "5E7F6A42-2ECF-4948-A31C-F212E4AF0158",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:2.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F08ED37-2F08-4663-ADCC-DA8608AFEF68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "DF125805-DE1F-4791-8B25-3759C00C184E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:2.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "44D78961-9103-4C1A-95A7-33CECC3F1172",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "A859D388-C803-4562-A83E-89C15AE69F67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8ED4739E-DB36-4298-B6D5-8905B1DB5B59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:3.0:m2:*:*:*:*:*:*",
              "matchCriteriaId": "E9F67075-9BCB-4EFF-BE36-790655A96679",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:3.0:m3:*:*:*:*:*:*",
              "matchCriteriaId": "4667DAE4-A021-4051-8C6F-AA60597FB575",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:4.0:m1:*:*:*:*:*:*",
              "matchCriteriaId": "43386546-ECB4-4131-A0CA-C9D939C6BD75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:4.0:m2:*:*:*:*:*:*",
              "matchCriteriaId": "6A8490E0-CE6A-453B-9DD6-C2D8A777FC82",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:4.0:m3:*:*:*:*:*:*",
              "matchCriteriaId": "D32007B2-74B6-44A3-8C6F-BB4141B6824A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:tizen:5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "85EDFA9B-354F-4992-8565-6F39E5AC7EB5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:samsung:galaxy_gear:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8B033BF3-3C56-4B7A-92B5-8D1024EB36EE",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The pkgmgr system service in Tizen allows an unprivileged process to perform package management actions, due to improper D-Bus security policy configurations. Such actions include installing, decrypting, and killing other packages. This affects Tizen before 5.0 M1, and Tizen-based firmwares including Samsung Galaxy Gear series before build RE2."
    },
    {
      "lang": "es",
      "value": "El servicio de sistema pkgmgr en Tizen permite a un proceso no privilegiado llevar a cabo acciones de administraci\u00f3n de paquetes, debido a configuraciones de pol\u00edtica de seguridad D-Bus inapropiadas. Dichas acciones incluyen instalar, descifrar y eliminar otros paquetes. Esto afecta a Tizen versiones anteriores a 5.0 M1 y a los firmwares basados en Tizen, incluyendo la serie Samsung Galaxy Gear versiones anteriores al build RE2."
    }
  ],
  "id": "CVE-2018-16262",
  "lastModified": "2024-11-21T03:52:24.283",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "ADJACENT_NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 6.5,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-01-22T13:15:10.020",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Dongsung%20Kim%20and%20Hyoung%20Kee%20Choi%20-%20Updated/DEFCON-26-Dongsung-Kim-and-Hyoung-Kee-Choi-Your-Watch-Can-Watch-You-Updated.pdf"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://review.tizen.org/git/?p=platform/core/appfw/pkgmgr-server.git%3Ba=commit%3Bh=aac8a95859828a058d8e06893982b11ebc81dd78"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.youtube.com/watch?v=3IdgBwbOT-g\u0026feature=youtu.be"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Dongsung%20Kim%20and%20Hyoung%20Kee%20Choi%20-%20Updated/DEFCON-26-Dongsung-Kim-and-Hyoung-Kee-Choi-Your-Watch-Can-Watch-You-Updated.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://review.tizen.org/git/?p=platform/core/appfw/pkgmgr-server.git%3Ba=commit%3Bh=aac8a95859828a058d8e06893982b11ebc81dd78"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.youtube.com/watch?v=3IdgBwbOT-g\u0026feature=youtu.be"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-269"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2018-16262 (GCVE-0-2018-16262)

Vulnerability from cvelistv5

Published

2020-01-22 12:20

Modified

2024-08-05 10:17