CVE-2015-4625
published 2015-10-26CVE-2015-4625: Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0.113 allows local users to gain privileges by creating a…
PriorityP418medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EPSS
0.40%
32.3th percentile
Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0.113 allows local users to gain privileges by creating a large number of connections, which triggers the issuance of a duplicate cookie value.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | policykit-1 | < policykit-1 0.105-12 (bookworm) | policykit-1 0.105-12 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| polkit_project | polkit | <= 0.112 | — |
CVSS provenance
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv4.6MEDIUM
vendor_debian4.6LOW
vendor_redhat4.6MEDIUM
vendor_ubuntu2.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m24q-4952-3p5h: Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0
ghsa_unreviewed·2022-05-14
CVE-2015-4625 [MEDIUM] GHSA-m24q-4952-3p5h: Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0
Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0.113 allows local users to gain privileges by creating a large number of connections, which triggers the issuance of a duplicate cookie value.
OSV
policykit-1 vulnerabilities
osv·2018-07-16·CVSS 2.1
CVE-2015-3218 [LOW] policykit-1 vulnerabilities
policykit-1 vulnerabilities
Tavis Ormandy discovered that PolicyKit incorrectly handled certain invalid
object paths. A local attacker could possibly use this issue to cause
PolicyKit to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS. (CVE-2015-3218)
It was discovered that PolicyKit incorrectly handled certain duplicate
action IDs. A local attacker could use this issue to cause PolicyKit to
crash, resulting in a denial of service, or possibly escalate privileges.
This issue only affected Ubuntu 14.04 LTS. (CVE-2015-3255)
Tavis Ormandy discovered that PolicyKit incorrectly handled duplicate
cookie values. A local attacker could use this issue to cause PolicyKit to
crash, resulting in a denial of service, or possibly escalate privileges.
This issue only
OSV
CVE-2015-4625: Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0
osv·2015-10-26·CVSS 4.6
CVE-2015-4625 [MEDIUM] CVE-2015-4625: Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0
Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0.113 allows local users to gain privileges by creating a large number of connections, which triggers the issuance of a duplicate cookie value.
Ubuntu
PolicyKit vulnerabilities
vendor_ubuntu·2018-07-16·CVSS 2.1
CVE-2015-3218 [LOW] PolicyKit vulnerabilities
Title: PolicyKit vulnerabilities
Summary: Several security issues were fixed in PolicyKit.
Tavis Ormandy discovered that PolicyKit incorrectly handled certain invalid
object paths. A local attacker could possibly use this issue to cause
PolicyKit to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS. (CVE-2015-3218)
It was discovered that PolicyKit incorrectly handled certain duplicate
action IDs. A local attacker could use this issue to cause PolicyKit to
crash, resulting in a denial of service, or possibly escalate privileges.
This issue only affected Ubuntu 14.04 LTS. (CVE-2015-3255)
Tavis Ormandy discovered that PolicyKit incorrectly handled duplicate
cookie values. A local attacker could use this issue to cause PolicyKit to
crash, resulting in a den
Red Hat
polkit: potential information disclosure vulnerability due to cookie counter wrapping
vendor_redhat·2015-05-29·CVSS 4.6
CVE-2015-4625 [MEDIUM] CWE-190 polkit: potential information disclosure vulnerability due to cookie counter wrapping
polkit: potential information disclosure vulnerability due to cookie counter wrapping
Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0.113 allows local users to gain privileges by creating a large number of connections, which triggers the issuance of a duplicate cookie value.
Package: polkit (Red Hat Enterprise Linux 6) - Will not fix
Package: polkit (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2015-4625: policykit-1 - Integer overflow in the authentication_agent_new_cookie function in PolicyKit (a...
vendor_debian·2015·CVSS 4.6
CVE-2015-4625 [MEDIUM] CVE-2015-4625: policykit-1 - Integer overflow in the authentication_agent_new_cookie function in PolicyKit (a...
Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0.113 allows local users to gain privileges by creating a large number of connections, which triggers the issuance of a duplicate cookie value.
Scope: local
bookworm: resolved (fixed in 0.105-12)
bullseye: resolved (fixed in 0.105-12)
forky: resolved (fixed in 0.105-12)
sid: resolved (fixed in 0.105-12)
trixie: resolved (fixed in 0.105-12)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-4625 polkit: potential information disclosure vulnerability due to cookie counter wrapping [fedora-all]
bugzilla·2015-06-19·CVSS 4.6
CVE-2015-4625 [MEDIUM] CVE-2015-4625 polkit: potential information disclosure vulnerability due to cookie counter wrapping [fedora-all]
CVE-2015-4625 polkit: potential information disclosure vulnerability due to cookie counter wrapping [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affe
Bugzilla
CVE-2015-4625 polkit: potential information disclosure vulnerability due to cookie counter wrapping
bugzilla·2015-06-19·CVSS 4.6
CVE-2015-4625 [MEDIUM] CVE-2015-4625 polkit: potential information disclosure vulnerability due to cookie counter wrapping
CVE-2015-4625 polkit: potential information disclosure vulnerability due to cookie counter wrapping
Following issue was reported in https://bugs.freedesktop.org/show_bug.cgi?id=90837 :
"""
The "cookie" value that Polkit hands out is global to all polkit
users. And when `AuthenticationAgentResponse` is invoked, we
previously only received the cookie and target identity, and attempted
to find an agent from that.
The problem is that the current cookie is just an integer
counter, and if it overflowed, it would be possible for
an successful authorization in one session to trigger a response
in another session.
"""
Upstream fixes:
http://cgit.freedesktop.org/polkit/commit/?id=493aa5dc1d278ab9097110c1262f5229bbaf1766
http://cgit.freedesktop.org/polkit/commit/?id=fb5076b7c05d01a532d593a4079a29c
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161721.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-July/162294.htmlhttp://lists.freedesktop.org/archives/polkit-devel/2015-July/000432.htmlhttp://lists.freedesktop.org/archives/polkit-devel/2015-June/000427.htmlhttp://lists.freedesktop.org/archives/polkit-devel/2015-May/000419.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-10/msg00010.htmlhttp://lists.opensuse.org/opensuse-updates/2015-11/msg00042.htmlhttp://www.openwall.com/lists/oss-security/2015/06/08/3http://www.openwall.com/lists/oss-security/2015/06/09/1http://www.openwall.com/lists/oss-security/2015/06/16/21http://www.securityfocus.com/bid/75267http://www.securitytracker.com/id/1035023http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161721.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-July/162294.htmlhttp://lists.freedesktop.org/archives/polkit-devel/2015-July/000432.htmlhttp://lists.freedesktop.org/archives/polkit-devel/2015-June/000427.htmlhttp://lists.freedesktop.org/archives/polkit-devel/2015-May/000419.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-10/msg00010.htmlhttp://lists.opensuse.org/opensuse-updates/2015-11/msg00042.htmlhttp://www.openwall.com/lists/oss-security/2015/06/08/3http://www.openwall.com/lists/oss-security/2015/06/09/1http://www.openwall.com/lists/oss-security/2015/06/16/21http://www.securityfocus.com/bid/75267http://www.securitytracker.com/id/1035023
2015-10-26
Published