CVE-2014-3462
high
CVSS v3
7.5
CVSS v2
5.0
VIR risk
7.5
Description
The ".encfs6.xml" configuration file in encfs before 1.7.5 allows remote attackers to access sensitive data by setting "blockMACBytes" to 0 and adding 8 to "blockMACRandBytes".
Predictions
Exploit likelihood
83%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-3462
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2014-3462.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 1.8.1-1 |
| debian | bullseye | fixed | 1.8.1-1 |
| debian | sid | fixed | 1.8.1-1 |
| debian | trixie | fixed | 1.8.1-1 |
| suse | 42.1 | affected | |
| suse | 42.2 | affected | |
| suse | 13.2 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| encfs_project | encfs | {"endExcluding":"1.7.5"} | 1.7.5 |
References
- https://www.suse.com/security/cve/CVE-2014-3462.html
- http://lists.opensuse.org/opensuse-updates/2017-01/msg00090.html
- http://www.openwall.com/lists/oss-security/2014/05/14/2
- https://bugzilla.redhat.com/show_bug.cgi?id=1097537
- https://security.gentoo.org/glsa/201512-09
- https://security-tracker.debian.org/tracker/CVE-2014-3462
CWEs
CWE-200
Verify integrity in audit chain (admin only). AS-IS.