Cryoserver Security Appliance vulnerable to privilege escalation

2014-10-07T00:00:00
ID VU:280844
Type cert
Reporter CERT
Modified 2014-10-07T14:00:00

Description

Overview

Cryoserver Security Appliance 7.3.x vulnerable to privilege escalation

Description

CWE-264: Permissions, Privileges, and Access Controls

Cryoserver Security Appliance 7.3.x does not properly assign permission to the /etc/init.d/cryoserver shell script and allows the default support account to modify it using the``/bin/cryo-mgmt script.


Impact

An authenticated attacker may be able to gain root access to the appliance.


Solution

The CERT/CC is currently unaware of a practical solution to this problem.


Vendor Information

280844

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Cryoserver Unknown

Notified: August 18, 2014 Updated: August 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 7.7 | AV:A/AC:L/Au:S/C:C/I:C/A:C
Temporal | 6.6 | E:POC/RL:U/RC:UR
Environmental | 4.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • <http://www.cryoserver.com/appliance/>
  • <http://cwe.mitre.org/data/definitions/264.html>

Acknowledgements

Thanks to Chris Hernandez for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs: | CVE-2014-4867
---|---
Date Public: | 2014-10-07
Date First Published: | 2014-10-07
Date Last Updated: | 2014-10-07 14:00 UTC
Document Revision: | 12