#VU42514 Permissions, Privileges, and Access Controls in davfs2 - CVE-2013-4362

Cybersecurity Help s.r.o.

Published: 2013-10-01 | Updated: 2020-09-11

Vulnerability identifier: #VU42514

Vulnerability risk: High

CVSSv4.0: 7.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2013-4362

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
davfs2
Other software / Other software solutions

Vendor: savannah.nongnu.org

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

WEB-DAV Linux File System (davfs2) 1.4.6 and 1.4.7 allow local users to gain privileges via unknown attack vectors in (1) kernel_interface.c and (2) mount_davfs.c, related to the "system" function.

Mitigation
Install update from vendor's website.

Vulnerable software versions

davfs2: 1.4.6 - 1.4.7

External links
https://osvdb.org/97416
https://osvdb.org/97417
https://savannah.nongnu.org/bugs/?40034
https://seclists.org/oss-sec/2013/q3/627
https://www.debian.org/security/2013/dsa-2765
https://www.securityfocus.com/bid/62445
https://security.gentoo.org/glsa/201612-02

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Gentoo update for DavFS2

Permissions, Privileges, and Access Controls in savannah.nongnu davfs2