Vulnerability CVE-2020-13696

Vulnerability Name:

CVE-2020-13696 (CCN-182956)

Assigned:

2020-06-04

Published:

2020-06-04

Updated:

2022-04-28

Summary:

An issue was discovered in LinuxTV xawtv before 3.107. The function dev_open() in v4l-conf.c does not perform sufficient checks to prevent an unprivileged caller of the program from opening unintended filesystem paths. This allows a local attacker with access to the v4l-conf setuid-root program to test for the existence of arbitrary files and to trigger an open on arbitrary files with mode O_RDWR. To achieve this, relative path components need to be added to the device path, as demonstrated by a v4l-conf -c /dev/../root/.bash_history command.

CVSS v3 Severity:

4.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
3.9 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

5.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
4.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

3.6 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

3.6 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-863

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2020-13696

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:0784

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:0787

Source: CONFIRM
Type: Issue Tracking, Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/06/04/6

Source: MISC
Type: Broken Link, Issue Tracking, Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-13696

Source: XF
Type: UNKNOWN
xawtv-cve202013696-sec-bypass(182956)

Source: MISC
Type: Patch, Vendor Advisory
https://git.linuxtv.org/xawtv3.git/commit/?id=31f31f9cbaee7be806cba38e0ff5431bd44b20a3

Source: CCN
Type: xawtv3.git Web site
v4l-conf: simplify stat messag

Source: MISC
Type: Patch, Vendor Advisory
https://git.linuxtv.org/xawtv3.git/commit/?id=36dc44e68e5886339b4a0fbe3f404fb1a4fd2292

Source: MISC
Type: Patch, Vendor Advisory
https://git.linuxtv.org/xawtv3.git/commit/?id=8e3feea862db68d3ca0886f46cd99fab45d2db7c

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200612 [SECURITY] [DLA 2246-1] xawtv security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-cd5ad916e4

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-93db553bb7

Source: CCN
Type: oss-sec Mailing List, Thu, 4 Jun 2020 10:30:41 +0530 (IST)
xawtv: CVE-2020-13696: v4l-conf setuid-root program allows file existence tests and open(..., O_RDRW) on arbitrary files

Source: UBUNTU
Type: Third Party Advisory
USN-4518-1

Vulnerable Configuration:

Configuration 1:

cpe:/a:linuxtv:xawtv:*:*:*:*:*:*:*:* (Version < 3.107)

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*

OR cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 4:

cpe:/o:fedoraproject:fedora:31:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Configuration 5:

cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:202013696	V	CVE-2020-13696	2022-09-02
oval:org.opensuse.security:def:93615	P	(Important)	2022-06-16
oval:org.opensuse.security:def:111924	P	alevtd-3.107-2.5 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:64833	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:105492	P	alevtd-3.107-2.5 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:100328	P	(Low)	2021-09-07
oval:org.opensuse.security:def:64561	P	Security update for libmspack (Moderate)	2021-08-20
oval:org.opensuse.security:def:47577	P	coreutils-8.25-13.7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47217	P	busybox-1.21.1-3.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47603	P	emacs-24.3-25.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47393	P	libpng12-0-1.2.50-19.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47743	P	libmpfr4-3.1.2-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46979	P	kernel-default-4.4.21-69.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48343	P	xf86-video-intel-2.99.917+git781.c8990575-1.27 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47032	P	libipa_hbac0-1.13.4-18.10 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47641	P	gzip-1.6-9.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47431	P	libvte9-0.28.2-19.7 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47634	P	gstreamer-plugins-base-1.8.3-12.11 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47477	P	python-2.7.13-27.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47070	P	libqt4-32bit-4.8.6-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47539	P	yast2-3.2.36-1.11 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47179	P	xalan-j2-2.7.0-264.133 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47672	P	libXcursor1-1.1.14-4.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47515	P	tftp-5.2-10.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47705	P	libexif12-0.6.21-8.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46941	P	freeradius-server-3.0.3-10.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:64721	P	Security update for cryptctl (Important)	2021-06-23
oval:org.opensuse.security:def:46535	P	mipv6d-2.0.2.umip.0.4-19.63 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48435	P	gpgme-1.5.1-1.11 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46617	P	apache2-mod_perl-2.0.8-11.43 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46483	P	libgnomesu-1.0.0-352.81 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46484	P	libgoa-1_0-0-3.10.5-1.11 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46655	P	file-5.19-9.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46521	P	libtasn1-3.7-2.13 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46809	P	pam_ssh-2.0-1.40 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46522	P	libtiff5-32bit-4.0.3-9.78 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48381	P	bzip2-1.0.6-29.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46497	P	libmspack0-0.4-3.57 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48397	P	cvs-1.12.12-181.54 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46847	P	squidGuard-1.4-23.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:64663	P	Security update for openldap2 (Important)	2021-03-08
oval:org.opensuse.security:def:26194	P	Security update for java-1_7_1-ibm (Important)	2021-02-18
oval:org.opensuse.security:def:64454	P	Security update for flac (Moderate)	2020-12-24
oval:org.opensuse.security:def:64453	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:62913	P	osc-0.165.0-1.3 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63612	P	dia-0.97.3-4.3.3 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63116	P	kernel-devel-azure-4.12.14-5.47.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62906	P	libtidy-devel-5.4.0-1.34 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63409	P	nodejs12-12.18.0-2.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62910	P	ocaml-4.05.0-4.25 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62938	P	bsh2-2.0.0.b6-10.65 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:24988	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:25411	P	Security update for u-boot (Important)	2020-12-01
oval:org.opensuse.security:def:26232	P	Security update for openconnect (Moderate)	2020-12-01
oval:org.opensuse.security:def:25163	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:24799	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26229	P	Security update for xawtv (Moderate)	2020-12-01
oval:org.opensuse.security:def:25208	P	Security update for python3-requests (Moderate)	2020-12-01
oval:org.opensuse.security:def:25550	P	Security update for squid (Important)	2020-12-01
oval:org.opensuse.security:def:25026	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:25449	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:64317	P	libblkid-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25556	P	Security update for ntp (Moderate)	2020-12-01
oval:org.opensuse.security:def:25069	P	Security update for ucode-intel (Important)	2020-12-01
oval:org.opensuse.security:def:24837	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:26267	P	Security update for xawtv (Moderate)	2020-12-01
oval:org.opensuse.security:def:25246	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:74775	P	Security update for skopeo (Moderate)	2020-12-01
oval:org.opensuse.security:def:63759	P	Security update for squid (Moderate)	2020-12-01
oval:org.opensuse.security:def:25498	P	Security update for icu (Moderate)	2020-12-01
oval:org.opensuse.security:def:24862	P	Security update for apache2 (Important)	2020-12-01
oval:org.opensuse.security:def:25358	P	Security update for tomcat (Important)	2020-12-01
oval:org.opensuse.security:def:24789	P	Security update for ucode-intel (Moderate)	2020-12-01
oval:org.opensuse.security:def:25594	P	Security update for targetcli-fb (Moderate)	2020-12-01
oval:org.opensuse.security:def:25107	P	Security update for openssl-1_1 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25125	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:25536	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:24900	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:25396	P	Security update for perl-DBI (Important)	2020-12-01
oval:org.opensuse.security:def:74908	P	Security update for xawtv (Moderate)	2020-12-01
oval:org.opensuse.security:def:24827	P	Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer (Moderate)	2020-12-01
oval:org.opensuse.security:def:63988	P	Security update for LibreOffice (Moderate)	2020-12-01
oval:org.opensuse.security:def:25512	P	Security update for tomcat (Important)	2020-12-01
oval:org.opensuse.security:def:127474	P	Security update for xawtv (Moderate)	2020-06-23
oval:org.opensuse.security:def:110570	P	Security update for xawtv (Moderate)	2020-06-08

BACK