Vulnerability CVE-2003-0461

Vulnerability Name:

CVE-2003-0461 (CCN-12708)

Assigned:

2003-07-21

Published:

2003-07-21

Updated:

2017-10-11

Summary:

/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.

CVSS v3 Severity:

4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2003-0461

Source: CCN
Type: RHSA-2002-263
kernel security update

Source: CCN
Type: RHSA-2003-238
Updated 2.4 kernel fixes vulnerabilities

Source: CCN
Type: RHSA-2004-188
Updated kernel packages available for Red Hat Enterprise Linux 3 Update 2

Source: MISC
Type: UNKNOWN
http://rsbac.dyndns.org/pipermail/rsbac/2002-May/000162.html

Source: CCN
Type: SECTRACK ID: 1007243
Linux 2.4 Kernel /proc/tty/driver/serial May Disclose Password Characteristics to Local Users

Source: CCN
Type: CIAC Information Bulletin O-059
Debian Linux-Kernel-2.4.14-ia64 Vulnerabilities

Source: CCN
Type: CIAC Information Bulletin O-145
Red Hat Updated Kernel Packages for Enterprise Linux 3

Source: DEBIAN
Type: UNKNOWN
DSA-358

Source: DEBIAN
Type: Patch, Vendor Advisory
DSA-423

Source: DEBIAN
Type: DSA-358
linux-kernel-2.4.18 -- several vulnerabilities

Source: DEBIAN
Type: DSA-423
linux-kernel-2.4.17-ia64 -- several vulnerabilities

Source: CCN
Type: Linux kernel Web site
2.4.21 ChangeLog

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2003:238

Source: REDHAT
Type: UNKNOWN
RHSA-2004:188

Source: CCN
Type: BID-10330
Linux Kernel Serial Driver Proc File Information Disclosure Vulnerability

Source: CCN
Type: BID-8233
Multiple Linux 2.4 Kernel Vulnerabilities

Source: CCN
Type: TLSA-2003-58
Multiple vulnerabilities in kernel

Source: XF
Type: UNKNOWN
linux-serial-obtain-information(12708)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:304

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:9330

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:997

Vulnerable Configuration:

Configuration 1:

cpe:/o:redhat:linux:7.1:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:9.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/o:linux:linux_kernel:2.4.3:-:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.4:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.5:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.6:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.18:-:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.20:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.7:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.0:-:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.1:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.10:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.11:-:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.12:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.13:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.14:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.15:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.16:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.17:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.19:-:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.2:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.8:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:2.4.9:*:*:*:*:*:*:*

AND

cpe:/o:redhat:linux:7.1:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*

OR cpe:/o:redhat:linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.cisecurity:def:532	P	DSA-358-4 -- linux-kernel-2.4.18 -- several vulnerabilities	2016-07-01
oval:org.mitre.oval:def:9330	V	/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.	2013-04-29
oval:org.debian:def:358	V	several vulnerabilities	2013-01-21
oval:org.mitre.oval:def:997	V	Red Hat Enterprise Linux 3 Kernel Serial Link Information Disclosure Vulnerability	2012-04-23
oval:org.mitre.oval:def:304	V	Red Hat Linux Kernel Serial Link Information Disclosure Vulnerability	2007-04-25
oval:com.redhat.rhsa:def:20040188	P	RHSA-2004:188: Updated kernel packages available for Red Hat Enterprise Linux 3 Update 2 (Important)	2004-05-11
oval:org.debian:def:423	V	several vulnerabilities	2004-01-15

BACK