CVE-2013-4325 : The check_permission_v1 function in base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.9 does not proper

The check_permission_v1 function in base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.9 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process.

Published 2013-09-23 10:18:59

Updated 2014-01-14 04:27:07

Source Red Hat, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2013-4325

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2013-4325

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.9	MEDIUM	AV:L/AC:M/Au:N/C:C/I:C/A:C	3.4	10.0	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2013-4325

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-4325

http://rhn.redhat.com/errata/RHSA-2013-1274.html

RHSA-2013:1274 - Security Advisory - Red Hat Customer Portal
https://bugzilla.redhat.com/show_bug.cgi?id=1002375

1002375 – (CVE-2013-4288) CVE-2013-4288 polkit: unix-process subject for authorization is racy
http://lists.opensuse.org/opensuse-updates/2013-11/msg00000.html

openSUSE-SU-2013:1620-1: moderate: update for hplip

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1956-1

USN-1956-1: HPLIP vulnerability | Ubuntu security notices
http://lists.opensuse.org/opensuse-updates/2013-10/msg00062.html

openSUSE-SU-2013:1617-1: moderate: update for hplip

CVEs referencing this url
http://www.debian.org/security/2013/dsa-2829

Debian -- Security Information -- DSA-2829-1 hplip

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1006674

1006674 – (CVE-2013-4325) CVE-2013-4325 hplip: Insecure calling of polkit

Products affected by CVE-2013-4325

HP » Linux Imaging And Printing Project » Version: 1.0
cpe:2.3:a:hp:linux_imaging_and_printing_project:1.0:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.10.9
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.10.9:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.9.8
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.8:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.11.5
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.11.5:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.11.3
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.11.3:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.11.1
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.11.1:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.9.4b
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.4b:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.9.4
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.4:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.11.7
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.11.7:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.11.3a
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.11.3a:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.9.10
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.10:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.9.6
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.6:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.10.6
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.10.6:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.10.5
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.10.5:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.9.2
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.2:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.10.2
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.10.2:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.9.12
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.9.12:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.12.10
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.10:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.12.10 Update A
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.10:a:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.12.11
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.11:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 2.7.10
cpe:2.3:a:hp:linux_imaging_and_printing_project:2.7.10:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.12.2
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.2:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.12.6
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.6:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 2.0
cpe:2.3:a:hp:linux_imaging_and_printing_project:2.0:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.11.10
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.11.10:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.12.4
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.4:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.12.9
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.12.9:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.13.7
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.7:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.13.8
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.8:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.13.4
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.4:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.13.5
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.5:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.13.6
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.6:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.13.2
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.2:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.13.3
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.3:*:*:*:*:*:*:*
Matching versions
HP » Linux Imaging And Printing Project » Version: 3.13.9
cpe:2.3:a:hp:linux_imaging_and_printing_project:3.13.9:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2013-4325

Exploit prediction scoring system (EPSS) score for CVE-2013-4325

CVSS scores for CVE-2013-4325

CWE ids for CVE-2013-4325

References for CVE-2013-4325

Products affected by CVE-2013-4325