Vulnerability Name:

CVE-2014-1421 (CCN-99870)

Assigned:2014-11-18
Published:2014-11-18
Updated:2016-12-08
Summary:mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.
CVSS v3 Severity:5.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
3.6 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:N)
2.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2014-1421

Source: CCN
Type: BID-71343
Ubuntu mountall Package CVE-2014-1421 Local Security Bypass Vulnerability

Source: CCN
Type: Ubuntu Web site
Ubuntu

Source: UBUNTU
Type: Vendor Advisory
USN-2411-1

Source: CCN
Type: Ubuntu USN Web site
USN-2411-1: mountall vulnerability

Source: XF
Type: UNKNOWN
ubuntu-cve20141421-sec-bypass(99870)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:28586
    P
    		USN-2411-1 -- mountall vulnerability
    2015-03-09
    oval:com.ubuntu.precise:def:20141421000
    V
    		CVE-2014-1421 on Ubuntu 12.04 LTS (precise) - medium.
    2014-11-25
    oval:com.ubuntu.trusty:def:20141421000
    V
    		CVE-2014-1421 on Ubuntu 14.04 LTS (trusty) - medium.
    2014-11-25
    BACK
    canonical ubuntu linux 14.10