Vulnerability CVE-2020-8024

Vulnerability Name:

CVE-2020-8024 (CCN-184111)

Assigned:

2020-06-09

Published:

2020-06-09

Updated:

2020-07-22

Summary:

A Incorrect Default Permissions vulnerability in the packaging of hylafax+ of openSUSE Leap 15.2, openSUSE Leap 15.1, openSUSE Factory allows local attackers to escalate from user uucp to users calling hylafax binaries. This issue affects: openSUSE Leap 15.2 hylafax+ versions prior to 7.0.2-lp152.2.1. openSUSE Leap 15.1 hylafax+ version 5.6.1-lp151.3.7 and prior versions. openSUSE Factory hylafax+ versions prior to 7.0.2-2.1.

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-276

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2020-8024

Source: SUSE
Type: Mailing List, Patch, Vendor Advisory
openSUSE-SU-2020:0958

Source: CCN
Type: Bugzilla Bug 1172731
(CVE-2020-8024) VUL-0: CVE-2020-8024: hylafax+: Problematic permissions allow escalation from uucp to other users

Source: CONFIRM
Type: Issue Tracking, Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1172731

Source: XF
Type: UNKNOWN
opensuse-cve20208024-priv-esc(184111)

Source: CCN
Type: openSUSE Web site
hylafax+ package for openSUSE

Vulnerable Configuration:

Configuration 1:

cpe:/a:opensuse:hylafax+:*:*:*:*:*:*:*:* (Version < 7.0.2-lp152.2.1)

AND

cpe:/o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:opensuse:hylafax+:*:*:*:*:*:*:*:* (Version < 5.6.1-lp151.3.7)

AND

cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:opensuse:hylafax+:*:*:*:*:*:*:*:* (Version < 7.0.2-2.1)

AND

cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20208024	V	CVE-2020-8024	2022-06-30
oval:org.opensuse.security:def:112415	P	hylafax+-7.0.3-5.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:64894	P	Security update for runc (Moderate)	2021-12-23
oval:org.opensuse.security:def:64622	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:64782	P	Security update for util-linux (Moderate)	2021-10-20
oval:org.opensuse.security:def:105922	P	hylafax+-7.0.3-5.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:63470	P	finch-2.13.0-10.105 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62999	P	crash-7.2.9-21.4 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:64724	P	Security update for arpwatch (Important)	2021-06-28
oval:org.opensuse.security:def:64514	P	Security update for ceph (Important)	2021-06-02
oval:org.opensuse.security:def:64515	P	Security update for gdk-pixbuf (Moderate)	2021-01-21
oval:org.opensuse.security:def:62967	P	ncurses-devel-32bit-6.1-5.6.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63177	P	qemu-2.11.1-7.5 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62971	P	pam-devel-32bit-1.3.0-6.16.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62974	P	perl-DNS-LDNS-1.7.0-4.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63673	P	Security update for ovmf (Moderate)	2020-12-01
oval:org.opensuse.security:def:74969	P	Security update for hylafax+ (Moderate)	2020-12-01
oval:org.opensuse.security:def:63820	P	Security update for libssh2_org (Moderate)	2020-12-01
oval:org.opensuse.security:def:64049	P	Security update for grub2 (Important)	2020-12-01
oval:org.opensuse.security:def:74836	P	Security update for resource-agents (Important)	2020-12-01
oval:org.opensuse.security:def:64378	P	librrd8 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:110631	P	Security update for hylafax+ (Moderate)	2020-07-14

BACK