Vulnerability CVE-2020-5202

Vulnerability Name:

CVE-2020-5202 (CCN-174813)

Assigned:

2020-01-20

Published:

2020-01-20

Updated:

2022-01-01

Summary:

apt-cacher-ng through 3.3 allows local users to obtain sensitive information by hijacking the hardcoded TCP port. The /usr/lib/apt-cacher-ng/acngtool program attempts to connect to apt-cacher-ng via TCP on localhost port 3142, even if the explicit SocketPath=/var/run/apt-cacher-ng/socket command-line option is passed. The cron job /etc/cron.daily/apt-cacher-ng (which is active by default) attempts this periodically. Because 3142 is an unprivileged port, any local user can try to bind to this port and will receive requests from acngtool. There can be sensitive data in these requests, e.g., if AdminAuth is enabled in /etc/apt-cacher-ng/security.conf. This sensitive data can leak to unprivileged local users that manage to bind to this port before the apt-cacher-ng daemon can.

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2020-5202

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:0124

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:0146

Source: MISC
Type: Exploit, Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/01/20/4

Source: XF
Type: UNKNOWN
aptcacherng-cve20205202-info-disc(174813)

Source: CCN
Type: Debian Web site
Enforce secured call to the server in maint job triggering

Source: CCN
Type: oss-sec Mailing List, Mon, 20 Jan 2020 15:36:08 +0100
CVE-2020-5202: apt-cacher-ng: a local unprivileged user can impersonate the apt-cacher-ng daemon, possible credentials leak

Source: MLIST
Type: Exploit, Mailing List, Third Party Advisory
[oss-security] 20200120 CVE-2020-5202: apt-cacher-ng: a local unprivileged user can impersonate the apt-cacher-ng daemon, possible credentials leak

Source: MISC
Type: Patch, Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2020-5202

Vulnerable Configuration:

Configuration 1:

cpe:/a:apt-cacher-ng_project:apt-cacher-ng:*:*:*:*:*:*:*:* (Version <= 3.3)

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:opensuse:backports:sle-15:sp1:*:*:*:*:*:*

OR cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20205202	V	CVE-2020-5202	2021-10-24
oval:org.opensuse.security:def:63098	P	openldap2-2.4.46-9.51.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63438	P	libsnmp30-32bit-5.7.3-8.24 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62819	P	libvdpau-devel-1.1.1-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:64487	P	Security update for bind (Important)	2021-05-04
oval:org.opensuse.security:def:62618	P	bluez-devel-5.48-11.58 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62619	P	conky-1.11.5-1.20 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63300	P	rsyslog-module-gssapi-8.39.0-2.90 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62642	P	gvfs-1.42.2-4.24 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:64231	P	cracklib on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:74427	P	Security update for openconnect (Moderate)	2020-12-01
oval:org.opensuse.security:def:63664	P	Security update for git (Important)	2020-12-01
oval:org.opensuse.security:def:64333	P	libidn2-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:74553	P	Security update for apt-cacher-ng (Important)	2020-12-01
oval:org.opensuse.security:def:63991	P	Security update for gcc9 (Moderate)	2020-12-01
oval:org.opensuse.security:def:64375	P	libpython2_7-1_0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64125	P	Security update for grub2 (Important)	2020-12-01
oval:org.opensuse.security:def:100232	P	(Moderate)	2020-10-06
oval:org.opensuse.security:def:93519	P	Security update for apt-cacher-ng (Important)	2020-01-29
oval:org.opensuse.security:def:110177	P	Security update for apt-cacher-ng (Important)	2020-01-29
oval:com.ubuntu.bionic:def:202052020000000	V	CVE-2020-5202 on Ubuntu 18.04 LTS (bionic) - medium.	2020-01-21
oval:com.ubuntu.xenial:def:202052020000000	V	CVE-2020-5202 on Ubuntu 16.04 LTS (xenial) - medium.	2020-01-21
oval:com.ubuntu.disco:def:202052020000000	V	CVE-2020-5202 on Ubuntu 19.04 (disco) - medium.	2020-01-09

BACK