Improper D-Bus Security Configuration in Tizen Affects Package Management
CVE-2018-16262

8.8HIGH

Key Information:

Vendor
Linux
Status
Tizen
Vendor
CVE Published:
22 January 2020

Summary

The pkgmgr system service in Tizen is vulnerable due to incorrect configurations in its D-Bus security policy, permitting an unprivileged process to execute critical package management operations. These include the ability to install, decrypt, and terminate other software packages. This flaw specifically impacts Tizen versions prior to 5.0 M1 and several Tizen-based firmware versions on devices like the Samsung Galaxy Gear series, allowing unauthorized actions that compromise the integrity and safety of the device's operating environment.

References

https://review.tizen.org/git/?p=platform/core/appfw/pkgmg...
x_refsource_MISC
https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20...
x_refsource_MISC
https://www.youtube.com/watch?v=3IdgBwbOT-g&feature=youtu.be
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.