Lucene search

[email protected]CVE-2014-3956

HistoryJun 04, 2014 - 11:19 a.m.

CVE-2014-3956

2014-06-0411:19:13

CWE-200

[email protected]

web.nvd.nist.gov

209

cve-2014-3956

sendmail

security vulnerability

local users

file descriptors

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

5.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.2%

JSON

The sm_close_on_exec function in conf.c in sendmail before 8.14.9 has arguments in the wrong order, and consequently skips setting expected FD_CLOEXEC flags, which allows local users to access unintended high-numbered file descriptors via a custom mail-delivery program.

Affected configurations

NVD

Node

freebsdfreebsdRange≤9.2-

Node

hphpuxRange≤b.11.31

Node

fedoraprojectfedoraMatch20

Node

sendmailsendmailRange≤8.14.8

sendmailsendmailMatch8.6.7

sendmailsendmailMatch8.7.6

sendmailsendmailMatch8.7.7

sendmailsendmailMatch8.7.8

sendmailsendmailMatch8.7.9

sendmailsendmailMatch8.7.10

sendmailsendmailMatch8.8.8

sendmailsendmailMatch8.9.0

sendmailsendmailMatch8.9.1

sendmailsendmailMatch8.9.2

sendmailsendmailMatch8.9.3

sendmailsendmailMatch8.10

sendmailsendmailMatch8.10.0

sendmailsendmailMatch8.10.1

sendmailsendmailMatch8.10.2

sendmailsendmailMatch8.11.0

sendmailsendmailMatch8.11.1

sendmailsendmailMatch8.11.2

sendmailsendmailMatch8.11.3

sendmailsendmailMatch8.11.4

sendmailsendmailMatch8.11.5

sendmailsendmailMatch8.11.6

sendmailsendmailMatch8.11.7

sendmailsendmailMatch8.12.0

sendmailsendmailMatch8.12.1

sendmailsendmailMatch8.12.2

sendmailsendmailMatch8.12.3

sendmailsendmailMatch8.12.4

sendmailsendmailMatch8.12.5

sendmailsendmailMatch8.12.6

sendmailsendmailMatch8.12.7

sendmailsendmailMatch8.12.8

sendmailsendmailMatch8.12.9

sendmailsendmailMatch8.12.10

sendmailsendmailMatch8.12.11

sendmailsendmailMatch8.13.0

sendmailsendmailMatch8.13.1

sendmailsendmailMatch8.13.2

sendmailsendmailMatch8.13.3

sendmailsendmailMatch8.13.4

sendmailsendmailMatch8.13.5

sendmailsendmailMatch8.13.6

sendmailsendmailMatch8.13.7

sendmailsendmailMatch8.13.8

sendmailsendmailMatch8.14.0

sendmailsendmailMatch8.14.1

sendmailsendmailMatch8.14.2

sendmailsendmailMatch8.14.3

sendmailsendmailMatch8.14.4

sendmailsendmailMatch8.14.5

sendmailsendmailMatch8.14.6

sendmailsendmailMatch8.14.7

CPENameOperatorVersion
freebsd:freebsdfreebsdle9.2

CPE	Name	Operator	Version
freebsd:freebsd	freebsd	le	9.2

References

ftp://ftp.sendmail.org/pub/sendmail/RELEASE_NOTES

advisories.mageia.org/MGASA-2014-0270.html

lists.fedoraproject.org/pipermail/package-announce/2014-June/134349.html

lists.opensuse.org/opensuse-updates/2014-06/msg00032.html

lists.opensuse.org/opensuse-updates/2014-06/msg00033.html

packetstormsecurity.com/files/126975/Slackware-Security-Advisory-sendmail-Updates.html

secunia.com/advisories/57455

secunia.com/advisories/58628

security.gentoo.org/glsa/glsa-201412-32.xml

www.freebsd.org/security/advisories/FreeBSD-SA-14%3A11.sendmail.asc

www.mandriva.com/security/advisories?name=MDVSA-2014:147

www.mandriva.com/security/advisories?name=MDVSA-2015:128

www.securityfocus.com/bid/67791

www.securitytracker.com/id/1030331

www.sendmail.com/sm/open_source/download/8.14.9/

www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.728644

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05216368

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

5.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.2%

JSON

Related for CVE-2014-3956

nessus20 openvas9 fedora2 nvd1 ibm1 securityvulns1 rosalinux1 aix1 prion1 gentoo1 slackware1 mageia1 ubuntucve1 cvelist1 debiancve1