Vulnerability CVE-2010-3847

Vulnerability Name:

CVE-2010-3847 (CCN-62603)

Assigned:

2010-10-17

Published:

2010-10-17

Updated:

2023-02-13

Summary:

elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.

CVSS v3 Severity:

9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
6.2 Medium (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
6.5 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

7.2 High (REDHAT CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
6.5 Medium (REDHAT Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-426

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2010-3847

Source: CCN
Type: RHSA-2010-0787
Important: glibc security update

Source: CCN
Type: RHSA-2010-0872
Important: glibc security and bug fix update

Source: secalert@redhat.com
Type: Exploit
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: SA41795
GNU C Library Dynamic Linker $ORIGIN Expansion Weakness

Source: CCN
Type: SA42787
VMware ESX Console OS (COS) Multiple Vulnerabilities

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: Patch
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: DEBIAN
Type: DSA-2122
glibc -- missing input sanitization

Source: CCN
Type: GLSA-201011-01
GNU C library: Multiple vulnerabilities

Source: CCN
Type: GNU C Library Web page
GNU C Library

Source: CCN
Type: US-CERT VU#537223
GNU C library dynamic linker expands $ORIGIN in setuid library search path

Source: secalert@redhat.com
Type: US Government Resource
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: OSVDB ID: 68721
GNU C Library (glibc) Dynamic Linker $ORIGIN Substitution Expansion Weakness Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 75261
GNU C Library (glibc) ld.so $ORIGIN Dynamic String Token RPATH Local Privilege Escalation

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: BID-44154
GNU glibc Dynamic Linker '$ORIGIN' Local Privilege Escalation Vulnerability

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: Vendor Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Patch
secalert@redhat.com

Source: XF
Type: UNKNOWN
glibc-origin-privilege-escalation(62603)

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: Packet Storm Security [02-10-2018]
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation

Source: CCN
Type: Packet Storm Security [02-10-2018]
glibc '$ORIGIN' Expansion Privilege Escalation

Source: CCN
Type: Packet Storm Security [03-30-2018]
glibc LD_AUDIT libmemusage.so RHEL-Based Arbitrary DSO Load Privilege Escalation

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [10-17-2010]

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [02-12-2018]

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [02-12-2018]

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: SUSE
Type: SUSE-SA:2010:052
Linux kernel security update

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

Configuration RedHat 7:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration RedHat 8:

cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:gnu:glibc:2.2.5:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.2.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.0:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.0.3:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.0.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.0.5:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.0.6:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.1.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.1.1.6:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.1.2:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.1.3:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.1.9:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.2:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.2.2:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.2.3:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.2.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.3:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.3.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.3.10:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.3.3:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.3.4:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.11.1:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.10:*:*:*:*:*:*:*

OR cpe:/a:gnu:glibc:2.3.5:*:*:*:*:*:*:*

AND

cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

OR cpe:/o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*

OR cpe:/o:novell:suse_linux_enterprise_server:10:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:x86_64:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.0:*:*:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.0:-:x86_64:*:*:*:*:*

OR cpe:/o:debian:debian_linux:5.0:*:*:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.1:*:*:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.1:*:*:*:x86_64:*:*:*

OR cpe:/o:mandriva:enterprise_server:5:*:*:*:*:*:*:*

OR cpe:/o:mandriva:enterprise_server:5:*:*:*:x86_64:*:*:*

OR cpe:/o:mandriva:linux:2010:*:*:*:x86_64:*:*:*

OR cpe:/o:mandriva:linux:2010:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:6:*:server:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:6:*:workstation:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_desktop:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_hpc_node:6:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20103847	V	CVE-2010-3847	2022-05-20
oval:org.opensuse.security:def:32169	P	Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)	2021-08-25
oval:org.opensuse.security:def:29397	P	Security update for MozillaFirefox (Important)	2021-07-16
oval:org.opensuse.security:def:29361	P	Security update for the Linux Kernel (Important)	2021-05-17
oval:org.opensuse.security:def:32262	P	Security update for java-1_8_0-openjdk (Moderate)	2021-02-19
oval:org.opensuse.security:def:28145	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:31949	P	Security update for grub2 (Important)	2020-12-01
oval:org.opensuse.security:def:28723	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:32618	P	xorg-x11-Xvnc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28286	P	Security update for mysql (Important)	2020-12-01
oval:org.opensuse.security:def:31961	P	Security update for guile (Low)	2020-12-01
oval:org.opensuse.security:def:32706	P	libcap-progs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28522	P	Security update for openvpn-openssl1 (Important)	2020-12-01
oval:org.opensuse.security:def:27940	P	Security update for GraphicsMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:32772	P	perl-spamassassin on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28624	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:32319	P	Security update for ruby (Moderate)	2020-12-01
oval:org.opensuse.security:def:28015	P	Security update for augeas (Moderate)	2020-12-01
oval:org.opensuse.security:def:33449	P	Security update for glibc	2020-12-01
oval:org.opensuse.security:def:28679	P	Security update for flac	2020-12-01
oval:org.opensuse.security:def:32562	P	libpoppler-glib4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28229	P	Security update for libtirpc, rpcbind (Important)	2020-12-01
oval:org.opensuse.security:def:31950	P	Security update for grub2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32667	P	fuse on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28370	P	Security update for python (Important)	2020-12-01
oval:org.opensuse.security:def:32035	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:27939	P	Security update for GraphicsMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:32728	P	libqt4-sql-mysql on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28575	P	Security update for OpenSSL	2020-12-01
oval:org.opensuse.security:def:27951	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:33410	P	Security update for python-pycrypto (Important)	2020-12-01
oval:org.opensuse.security:def:28663	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:32406	P	Security update for wavpack (Moderate)	2020-12-01
oval:org.mitre.oval:def:13244	P	USN-1009-2 -- eglibc, glibc vulnerability	2014-06-30
oval:org.mitre.oval:def:13489	P	USN-1009-1 -- glibc, eglibc vulnerabilities	2014-06-30
oval:org.mitre.oval:def:12802	P	DSA-2122-2 glibc -- missing input sanitisation	2014-06-23
oval:org.mitre.oval:def:12604	P	DSA-2122-1 glibc -- missing input sanitisation	2014-06-23
oval:org.mitre.oval:def:23540	P	ELSA-2010:0872: glibc security and bug fix update (Important)	2014-05-26
oval:org.mitre.oval:def:23012	P	ELSA-2010:0787: glibc security update (Important)	2014-05-26
oval:org.mitre.oval:def:22199	P	RHSA-2010:0787: glibc security update (Important)	2014-02-24
oval:org.mitre.oval:def:22327	P	RHSA-2010:0872: glibc security and bug fix update (Important)	2014-02-24
oval:org.mitre.oval:def:19821	V	VMware ESX third party updates for Service Console packages glibc, sudo, and openldap	2014-01-20
oval:com.redhat.rhsa:def:20100872	P	RHSA-2010:0872: glibc security and bug fix update (Important)	2010-11-10
oval:org.debian:def:2122	V	missing input sanitization	2010-10-22
oval:com.redhat.rhsa:def:20100787	P	RHSA-2010:0787: glibc security update (Important)	2010-10-20

BACK