// For flags

CVE-2009-0115

device-mapper-multipath: insecure permissions on multipathd.sock

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon.

multipath-tools en SUSE openSUSE v10.3 hasta v11.0 y SUSE Linux Enterprise Server (SLES) v10 utiliza permisos de escritura a todos para el fichero del socket (también conocido como /var/run/multipathd.sock), permitiendo a usuarios locales enviar comandos de su elección al demonio "multipath".

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Local
Attack Complexity
High
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2009-01-13 CVE Reserved
  • 2009-03-30 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-07 CVE Updated
  • 2024-08-07 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-732: Incorrect Permission Assignment for Critical Resource
CAPEC
References (20)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Christophe.varoqui
Search vendor "Christophe.varoqui"
Multipath-tools
Search vendor "Christophe.varoqui" for product "Multipath-tools"
0.4.8
Search vendor "Christophe.varoqui" for product "Multipath-tools" and version "0.4.8"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
9
Search vendor "Fedoraproject" for product "Fedora" and version "9"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
10
Search vendor "Fedoraproject" for product "Fedora" and version "10"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
4.0
Search vendor "Debian" for product "Debian Linux" and version "4.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
5.0
Search vendor "Debian" for product "Debian Linux" and version "5.0"
-
Affected
Avaya
Search vendor "Avaya"
Intuity Audix Lx
Search vendor "Avaya" for product "Intuity Audix Lx"
2.0
Search vendor "Avaya" for product "Intuity Audix Lx" and version "2.0"
-
Affected
Avaya
Search vendor "Avaya"
Intuity Audix Lx
Search vendor "Avaya" for product "Intuity Audix Lx"
2.0
Search vendor "Avaya" for product "Intuity Audix Lx" and version "2.0"
sp1
Affected
Avaya
Search vendor "Avaya"
Intuity Audix Lx
Search vendor "Avaya" for product "Intuity Audix Lx"
2.0
Search vendor "Avaya" for product "Intuity Audix Lx" and version "2.0"
sp2
Affected
Avaya
Search vendor "Avaya"
Message Networking
Search vendor "Avaya" for product "Message Networking"
3.1
Search vendor "Avaya" for product "Message Networking" and version "3.1"
-
Affected
Avaya
Search vendor "Avaya"
Messaging Storage Server
Search vendor "Avaya" for product "Messaging Storage Server"
3.0
Search vendor "Avaya" for product "Messaging Storage Server" and version "3.0"
-
Affected
Avaya
Search vendor "Avaya"
Messaging Storage Server
Search vendor "Avaya" for product "Messaging Storage Server"
4.0
Search vendor "Avaya" for product "Messaging Storage Server" and version "4.0"
-
Affected
Avaya
Search vendor "Avaya"
Messaging Storage Server
Search vendor "Avaya" for product "Messaging Storage Server"
5.0
Search vendor "Avaya" for product "Messaging Storage Server" and version "5.0"
-
Affected
Novell
Search vendor "Novell"
Open Enterprise Server
Search vendor "Novell" for product "Open Enterprise Server"
--
Affected
Opensuse
Search vendor "Opensuse"
Opensuse
Search vendor "Opensuse" for product "Opensuse"
>= 10.3 <= 11.0
Search vendor "Opensuse" for product "Opensuse" and version " >= 10.3 <= 11.0"
-
Affected
Suse
Search vendor "Suse"
Linux Enterprise Desktop
Search vendor "Suse" for product "Linux Enterprise Desktop"
9
Search vendor "Suse" for product "Linux Enterprise Desktop" and version "9"
-
Affected
Suse
Search vendor "Suse"
Linux Enterprise Server
Search vendor "Suse" for product "Linux Enterprise Server"
9
Search vendor "Suse" for product "Linux Enterprise Server" and version "9"
-
Affected
Suse
Search vendor "Suse"
Linux Enterprise Server
Search vendor "Suse" for product "Linux Enterprise Server"
10
Search vendor "Suse" for product "Linux Enterprise Server" and version "10"
-
Affected
Juniper
Search vendor "Juniper"
Ctpview
Search vendor "Juniper" for product "Ctpview"
< 7.1
Search vendor "Juniper" for product "Ctpview" and version " < 7.1"
-
Affected
Juniper
Search vendor "Juniper"
Ctpview
Search vendor "Juniper" for product "Ctpview"
7.1
Search vendor "Juniper" for product "Ctpview" and version "7.1"
-
Affected