CVE-2010-4176 : plymouth-pretrigger.sh in dracut and udev, when running on Fedora 13 and 14, sets weak permissions for the /dev/systty d

plymouth-pretrigger.sh in dracut and udev, when running on Fedora 13 and 14, sets weak permissions for the /dev/systty device file, which allows remote authenticated users to read terminal data from tty0 for local users.

Published 2010-12-07 22:00:03

Updated 2022-06-03 15:09:18

Source Red Hat, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2010-4176

Probability of exploitation activity in the next 30 days: 0.17%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 53 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2010-4176

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2010-4176

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2010-4176

https://bugzilla.redhat.com/show_bug.cgi?id=654935

654935 – CVE-2010-4176 dracut: /dev/systty permissions could allow remote users to snoop on local users [fedora-all]
Issue Tracking;Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/051755.html

[SECURITY] Fedora 13 Update: udev-153-5.fc13
Mailing List;Third Party Advisory
http://www.vupen.com/english/advisories/2010/3062

Webmail | OVH- OVH
Permissions Required
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051418.html

[SECURITY] Fedora 14 Update: udev-161-7.fc14
Mailing List;Third Party Advisory
http://www.vupen.com/english/advisories/2010/3110

Webmail | OVH- OVH
Permissions Required
https://bugzilla.redhat.com/show_bug.cgi?id=654489

654489 – (CVE-2010-4176) CVE-2010-4176 dracut: /dev/systty permissions could allow remote users to snoop on local users
Issue Tracking;Third Party Advisory
http://www.securityfocus.com/bid/45046

Fedora 'Dracut' Package Insecure File Permissions Vulnerability
Third Party Advisory;VDB Entry

Products affected by CVE-2010-4176

Dracut Project » Dracut » Version: N/A
cpe:2.3:a:dracut_project:dracut:-:*:*:*:*:*:*:*
Matching versions
When used together with: Fedoraproject » Fedora » Version: 13
When used together with: Fedoraproject » Fedora » Version: 14
Udev Project » Udev » Version: N/A
cpe:2.3:a:udev_project:udev:-:*:*:*:*:*:*:*
Matching versions
When used together with: Fedoraproject » Fedora » Version: 13
When used together with: Fedoraproject » Fedora » Version: 14

Vulnerability Details : CVE-2010-4176

Exploit prediction scoring system (EPSS) score for CVE-2010-4176

CVSS scores for CVE-2010-4176

CWE ids for CVE-2010-4176

References for CVE-2010-4176

Products affected by CVE-2010-4176