2292346 – (CVE-2024-36587) CVE-2024-36587 DNSCrypt-proxy: escalate privileges to root via overwriting the binary dnscrypt-proxy

Bug 2292346 (CVE-2024-36587) - CVE-2024-36587 DNSCrypt-proxy: escalate privileges to root via overwriting the binary dnscrypt-proxy

Summary: CVE-2024-36587 DNSCrypt-proxy: escalate privileges to root via overwriting th...

Keywords:
Status:	NEW
Alias:	CVE-2024-36587
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2292347 2292348
Blocks:
TreeView+	depends on / blocked

Reported:	2024-06-14 05:47 UTC by Rohit Keshri
Modified:	2024-11-17 14:56 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-06-14 05:47:46 UTC

Insecure permissions in DNSCrypt-proxy v2.0.0alpha9 to v2.1.5 allows non-privileged attackers to escalate privileges to root via overwriting the binary dnscrypt-proxy.

https://github.com/go-compile/security-advisories/blob/master/vulns/CVE-2024-36587.md

Comment 1 Rohit Keshri 2024-06-14 05:48:07 UTC

Created dnscrypt-proxy tracking bugs for this issue:

Affects: epel-all [bug 2292347]
Affects: fedora-all [bug 2292348]

Comment 2 cmm11 2024-11-17 14:56:33 UTC

This CVE does not affect Fedora. It is only an issue if:
"dnscrypt-proxy has been installed as a service via ./dnscrypt-proxy -service install"

Which is the old generic linux install method (if someone didn't want to use a distro's package).

Note You need to log in before you can comment on or make changes to this bug.