Main Vulnerability Database Vulnerabilities #VU33502

#VU33502 Permissions, Privileges, and Access Controls in ldns - CVE-2014-3209

Published: November 16, 2014 / Updated: August 4, 2020

Vulnerability identifier: #VU33502

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2014-3209

CWE-ID: CWE-264

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
ldns

Software vendor:
NLnet Labs

Description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

The ldns-keygen tool in ldns 1.6.x uses the current umask to set the privileges of the private key, which might allow local users to obtain the private key by reading the file.

Remediation

Install update from vendor's website.

External links

http://www.openwall.com/lists/oss-security/2014/05/03/2
http://www.openwall.com/lists/oss-security/2014/05/05/4
http://www.securityfocus.com/bid/67200
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746758
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=573