CVE-2009-0115
published 2009-03-30CVE-2009-0115: The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES)…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| avaya | intuity_audix_lx | — | — |
| avaya | message_networking | — | — |
| avaya | messaging_storage_server | — | — |
| avaya | messaging_storage_server | — | — |
| avaya | messaging_storage_server | — | — |
| christophe.varoqui | multipath-tools | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | multipath-tools | < multipath-tools 0.4.8-15 (bookworm) | multipath-tools 0.4.8-15 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| juniper | ctpview | < 7.1 | 7.1 |
| juniper | ctpview | — | — |
| opensuse | opensuse | 10.3 – 11.0 | — |
| opensvc | multipath-tools | >= 0 < 0.4.8-15 | 0.4.8-15 |
| opensvc | multipath-tools | >= 0 < 0.4.8-15 | 0.4.8-15 |
| opensvc | multipath-tools | >= 0 < 0.4.8-15 | 0.4.8-15 |
| opensvc | multipath-tools | >= 0 < 0.4.8-15 | 0.4.8-15 |
| suse | linux_enterprise_desktop | — | — |
| suse | linux_enterprise_server | — | — |
| suse | linux_enterprise_server | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
Red Hat
device-mapper-multipath: insecure permissions on multipathd.sock
vendor_redhat·2009-03-24·CVSS 7.8
CVE-2009-0115 [HIGH] device-mapper-multipath: insecure permissions on multipathd.sock
device-mapper-multipath: insecure permissions on multipathd.sock
The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon.
Debian
CVE-2009-0115: multipath-tools - The Device Mapper multipathing driver (aka multipath-tools or device-mapper-mult...
vendor_debian·2009·CVSS 7.8
CVE-2009-0115 [HIGH] CVE-2009-0115: multipath-tools - The Device Mapper multipathing driver (aka multipath-tools or device-mapper-mult...
The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon.
Scope: local
bookworm: resolved (fixed in 0.4.8-15)
bullseye: resolved (fixed in 0.4.8-15)
forky: resolved (fixed in 0.4.8-15)
sid: resolved (fixed in 0.4.8-15)
trixie: resolved (fixed in 0.4.8-15)
GHSA
GHSA-m58q-qh36-cwx8: The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0
ghsa_unreviewed·2022-05-02
CVE-2009-0115 [HIGH] CWE-732 GHSA-m58q-qh36-cwx8: The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0
The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon.
OSV
CVE-2009-0115: The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0
osv·2009-03-30·CVSS 7.8
CVE-2009-0115 [HIGH] CVE-2009-0115: The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0
The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2010-0277 pidgin MSN protocol plugin memory corruption
bugzilla·2010-01-11·CVSS 7.5
CVE-2010-0277 [HIGH] CVE-2010-0277 pidgin MSN protocol plugin memory corruption
CVE-2010-0277 pidgin MSN protocol plugin memory corruption
slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and
Adium 1.3.8 allows remote attackers to cause a denial of service
(memory corruption) or possibly have unspecified other impact via
unknown vectors, a different issue than CVE-2010-0013.
Reference: URL:http://www.openwall.com/lists/oss-security/2010/01/07/2
Reference: MISC:http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html
Discussion:
http://pidgin.im/news/security/?id=43
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2010:0115 https://rhn.redhat.com/errata/RHSA-2010-0115.html
---
pidgin-2.6.6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.
Bugzilla
CVE-2009-0115 device-mapper-multipath: insecure permissions on multipathd.sock
bugzilla·2009-04-01·CVSS 7.8
CVE-2009-0115 [HIGH] CVE-2009-0115 device-mapper-multipath: insecure permissions on multipathd.sock
CVE-2009-0115 device-mapper-multipath: insecure permissions on multipathd.sock
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0115 to the following vulnerability:
multipath-tools in SUSE openSUSE 10.3 through 11.0 and SUSE Linux
Enterprise Server (SLES) 10 uses world-writable permissions for the
socket file (aka /var/run/multipathd.sock), which allows local users
to send arbitrary commands to the multipath daemon.
References:
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html
http://download.opensuse.org/update/10.3-test/repodata/patch-kpartx-6082.xml
http://secunia.com/advisories/34418
Discussion:
Affected component in Red Hat Enterprise Linux / Fedora is device-mapper-multipath, with both EL4 and EL5 seem to be affected by this flaw.
--
http://download.opensuse.org/update/10.3-test/repodata/patch-kpartx-6082.xmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10691http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705http://launchpad.net/bugs/cve/2009-0115http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.htmlhttp://lists.vmware.com/pipermail/security-announce/2010/000082.htmlhttp://secunia.com/advisories/34418http://secunia.com/advisories/34642http://secunia.com/advisories/34694http://secunia.com/advisories/34710http://secunia.com/advisories/34759http://secunia.com/advisories/38794http://support.avaya.com/elmodocs2/security/ASA-2009-128.htmhttp://www.debian.org/security/2009/dsa-1767http://www.vupen.com/english/advisories/2010/0528https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9214https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00231.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-April/msg00236.htmlhttp://download.opensuse.org/update/10.3-test/repodata/patch-kpartx-6082.xmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10691http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705http://launchpad.net/bugs/cve/2009-0115http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.htmlhttp://lists.vmware.com/pipermail/security-announce/2010/000082.htmlhttp://secunia.com/advisories/34418http://secunia.com/advisories/34642http://secunia.com/advisories/34694http://secunia.com/advisories/34710http://secunia.com/advisories/34759http://secunia.com/advisories/38794http://support.avaya.com/elmodocs2/security/ASA-2009-128.htmhttp://www.debian.org/security/2009/dsa-1767http://www.vupen.com/english/advisories/2010/0528https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9214https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00231.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-April/msg00236.html
2009-03-30
Published