#VU32675 Information disclosure in Util-linux - CVE-2013-0157

Cybersecurity Help s.r.o.

Published: 2014-01-21 | Updated: 2020-07-28

Vulnerability identifier: #VU32675

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2013-0157

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Util-linux
Universal components / Libraries / Libraries used by multiple products

Vendor: kernel.org

Description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

(a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Util-linux: 4.31

External links
https://bugs.debian.org/697464
https://marc.info/?l=oss-security&m=135749410312247&w=2
https://osvdb.org/88953
https://rhn.redhat.com/errata/RHSA-2013-0517.html
https://www.mandriva.com/security/advisories?name=MDVSA-2013:154
https://bugzilla.redhat.com/show_bug.cgi?id=892330

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for util-linux

Information disclosure in kernel Util-linux

Information disclosure in util-linux (Alpine package)