Vulnerability Name:

CVE-2010-3847

Assigned:2010-10-08
Published:2010-10-18
Updated:2018-02-14
Summary:elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.
CVSS v3 Severity:9.3 Critical (CCN CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
5.6 Medium (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.8 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.2 High (REDHAT CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.8 Medium (REDHAT Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-59
References:Source: FULLDISC
Type: UNKNOWN
20101018 The GNU C library dynamic linker expands $ORIGIN in setuid library search path

Source: FULLDISC
Type: UNKNOWN
20101019 Re: The GNU C library dynamic linker expands $ORIGIN in setuid library search path

Source: FULLDISC
Type: UNKNOWN
20101020 Re: The GNU C library dynamic linker expands $ORIGIN in setuid library search path

Source: GENTOO
Type: UNKNOWN
GLSA-201011-01

Source: MLIST
Type: PATCH
[libc-hacker] 20101018 [PATCH] Never expand $ORIGIN in privileged programs

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/css/P8/documents/100120941

Source: DEBIAN
Type: UNKNOWN
DSA-2122

Source: CERT-VN
Type: UNKNOWN
VU#537223

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2010:207

Source: REDHAT
Type: UNKNOWN
RHSA-2010:0872

Source: BUGTRAQ
Type: UNKNOWN
20110105 VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap

Source: BID
Type: UNKNOWN
44154

Source: UBUNTU
Type: UNKNOWN
USN-1009-1

Source: CONFIRM
Type: UNKNOWN
http://www.vmware.com/security/advisories/VMSA-2011-0001.html

Source: VUPEN
Type: VENDOR_ADVISORY
ADV-2011-0025

Source: CONFIRM
Type: PATCH
https://bugzilla.redhat.com/show_bug.cgi?id=643306

Source: XF
Type: UNKNOWN
glibc-origin-privilege-escalation(62603)

Source: SUSE
Type: UNKNOWN
SUSE-SA:2010:052

Source: REDHAT
Type: UNKNOWN
RHSA-2010:0787

Source: EXPLOIT-DB
Type: UNKNOWN
44024

Source: EXPLOIT-DB
Type: UNKNOWN
44025

Vulnerable Configuration:Configuration 1:
  • cpe:/a:gnu:glibc:1.00:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:1.01:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:1.02:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:1.03:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:1.04:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:1.05:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:1.06:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:1.07:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:1.08:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:1.09:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:1.09.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.1.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.1.3.10:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.1.9:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.2:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3.10:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.4:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.5:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.6:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.7:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.8:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.9:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.10:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.10.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.10.2:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.11:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.11.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.11.2:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.12.0:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.12.1:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:gnu:glibc:2.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.1.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.1.9:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.2:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3.10:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.11.1:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.10:*:*:*:*:*:*:*
  • OR cpe:/a:gnu:glibc:2.3.5:*:*:*:*:*:*:*
  • AND
  • cpe:/a:gentoo:linux_eix:0.3:*:*:*:*:*:*:*
  • OR cpe:/o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*
  • OR cpe:/o:novell:suse_linux_enterprise_server:10:sp2:itanium_ia64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.0:-:x86_64:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:5.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:enterprise_server:5:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20103847
    V
    CVE-2010-3847
    2018-02-18
    oval:org.mitre.oval:def:13489
    P
    USN-1009-1 -- glibc, eglibc vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:13244
    P
    USN-1009-2 -- eglibc, glibc vulnerability
    2014-06-30
    oval:org.mitre.oval:def:12604
    P
    DSA-2122-1 glibc -- missing input sanitisation
    2014-06-23
    oval:org.mitre.oval:def:12802
    P
    DSA-2122-2 glibc -- missing input sanitisation
    2014-06-23
    oval:org.mitre.oval:def:23012
    P
    ELSA-2010:0787: glibc security update (Important)
    2014-05-26
    oval:org.mitre.oval:def:23540
    P
    ELSA-2010:0872: glibc security and bug fix update (Important)
    2014-05-26
    oval:org.mitre.oval:def:22327
    P
    RHSA-2010:0872: glibc security and bug fix update (Important)
    2014-02-24
    oval:org.mitre.oval:def:22199
    P
    RHSA-2010:0787: glibc security update (Important)
    2014-02-24
    oval:org.mitre.oval:def:19821
    V
    VMware ESX third party updates for Service Console packages glibc, sudo, and openldap
    2014-01-20
    oval:com.redhat.rhsa:def:20100872
    P
    RHSA-2010:0872: glibc security and bug fix update (Important)
    2010-11-10
    oval:org.debian:def:2122
    V
    missing input sanitization
    2010-10-22
    oval:com.redhat.rhsa:def:20100787
    P
    RHSA-2010:0787: glibc security update (Important)
    2010-10-20
    BACK
    gnu glibc 1.00
    gnu glibc 1.01
    gnu glibc 1.02
    gnu glibc 1.03
    gnu glibc 1.04
    gnu glibc 1.05
    gnu glibc 1.06
    gnu glibc 1.07
    gnu glibc 1.08
    gnu glibc 1.09
    gnu glibc 1.09.1
    gnu glibc 2.0
    gnu glibc 2.0.1
    gnu glibc 2.0.2
    gnu glibc 2.0.3
    gnu glibc 2.0.4
    gnu glibc 2.0.5
    gnu glibc 2.0.6
    gnu glibc 2.1
    gnu glibc 2.1.1
    gnu glibc 2.1.1.6
    gnu glibc 2.1.2
    gnu glibc 2.1.3
    gnu glibc 2.1.3.10
    gnu glibc 2.1.9
    gnu glibc 2.2
    gnu glibc 2.2.1
    gnu glibc 2.2.2
    gnu glibc 2.2.3
    gnu glibc 2.2.4
    gnu glibc 2.2.5
    gnu glibc 2.3
    gnu glibc 2.3.1
    gnu glibc 2.3.2
    gnu glibc 2.3.3
    gnu glibc 2.3.4
    gnu glibc 2.3.5
    gnu glibc 2.3.6
    gnu glibc 2.3.10
    gnu glibc 2.4
    gnu glibc 2.5
    gnu glibc 2.5.1
    gnu glibc 2.6
    gnu glibc 2.6.1
    gnu glibc 2.7
    gnu glibc 2.8
    gnu glibc 2.9
    gnu glibc 2.10
    gnu glibc 2.10.1
    gnu glibc 2.10.2
    gnu glibc 2.11
    gnu glibc 2.11.1
    gnu glibc 2.11.2
    gnu glibc 2.12.0
    gnu glibc 2.12.1
    gnu glibc 2.2.5
    gnu glibc 2.2.1
    gnu glibc 2.0
    gnu glibc 2.0.1
    gnu glibc 2.0.2
    gnu glibc 2.0.3
    gnu glibc 2.0.4
    gnu glibc 2.0.5
    gnu glibc 2.0.6
    gnu glibc 2.1
    gnu glibc 2.1.1
    gnu glibc 2.1.1.6
    gnu glibc 2.1.2
    gnu glibc 2.1.3
    gnu glibc 2.1.9
    gnu glibc 2.2
    gnu glibc 2.2.2
    gnu glibc 2.2.3
    gnu glibc 2.2.4
    gnu glibc 2.3
    gnu glibc 2.3.1
    gnu glibc 2.3.10
    gnu glibc 2.3.3
    gnu glibc 2.3.4
    gnu glibc 2.11.1
    gnu glibc 2.10
    gnu glibc 2.3.5
    gentoo linux eix 0.3
    suse linux enterprise server 9
    novell suse linux enterprise server 10 sp2
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 4.0
    redhat enterprise linux 5
    redhat enterprise linux 5
    mandriva linux 2009.0
    mandriva linux 2009.0 -
    debian debian linux 5.0
    mandriva enterprise server 5