D-Bus vulnerability CVE-2014-3477

2015-09-12T02:09:00
ID F5:K17255
Type f5
Reporter f5
Modified 2016-01-09T02:24:00

Description

The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service. (CVE-2014-3477)

Impact

This vulnerability may allow a locally authenticated user to cause a denial-of-service (DoS) or possibly conduct a side-channel attack through a D-Bus message to an inactive service.

For Traffix SDC, the dbus daemon is used for package dependency reasons. The impact of the dbus daemon becoming unavailable is minimal. In addition, only administrative users are allowed on the Traffix SDC users, limiting the amount of potential attackers.

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in K4602: Overview of the F5 security vulnerability response policy.