CVE-2019-12594
📋 TL;DR
CVE-2019-12594 is an incorrect access control vulnerability in DOSBox 0.74-2 that allows local users to escalate privileges or execute arbitrary code. This affects systems where DOSBox is installed and multiple users have access. The vulnerability stems from improper file permission handling in DOSBox's configuration.
💻 Affected Systems
- DOSBox
📦 What is this software?
Dosbox by Dosbox
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains root/administrator privileges leading to complete system compromise.
Likely Case
Local user escalates privileges to execute arbitrary code with elevated permissions.
If Mitigated
Impact limited to denial of service or configuration corruption if proper user isolation exists.
🎯 Exploit Status
Exploitation requires local access but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.74-3 and later
Vendor Advisory: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931222
Restart Required: No
Instructions:
1. Update DOSBox using your package manager (apt-get update && apt-get upgrade dosbox on Debian/Ubuntu). 2. Verify installation of version 0.74-3 or later. 3. No restart required.
🔧 Temporary Workarounds
Restrict DOSBox permissions
linuxSet strict file permissions on DOSBox configuration and executable files
chmod 750 /usr/games/dosbox
chmod 644 /etc/dosbox/*
Remove DOSBox from shared systems
linuxUninstall DOSBox from multi-user systems where not essential
apt-get remove dosbox
🧯 If You Can't Patch
- Restrict DOSBox usage to trusted users only
- Implement strict file system permissions and user isolation
🔍 How to Verify
Check if Vulnerable:
Check DOSBox version: dosbox -version | grep '0.74-2'Check Version:
dosbox -versionVerify Fix Applied:
Verify version is 0.74-3 or later: dosbox -version📡 Detection & Monitoring
Log Indicators:
- Unauthorized file access attempts in DOSBox logs
- Suspicious privilege escalation attempts
Network Indicators:
- Not applicable - local vulnerability
SIEM Query:
source="dosbox" AND (event="permission_denied" OR event="access_violation")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00047.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00053.html
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931222
- https://lists.debian.org/debian-lts-announce/2019/07/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYV27Z3QZTDHUZJLW3LDJYO7HBVIMJ5F/
- https://seclists.org/bugtraq/2019/Jul/14
- https://security-tracker.debian.org/tracker/CVE-2019-12594
- https://www.debian.org/security/2019/dsa-4478
- https://www.dosbox.com/crew.php
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00047.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00053.html
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931222
- https://lists.debian.org/debian-lts-announce/2019/07/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYV27Z3QZTDHUZJLW3LDJYO7HBVIMJ5F/
- https://seclists.org/bugtraq/2019/Jul/14
- https://security-tracker.debian.org/tracker/CVE-2019-12594
- https://www.debian.org/security/2019/dsa-4478
- https://www.dosbox.com/crew.php
