Lucene search

K
certCERTVU:280844
HistoryOct 07, 2014 - 12:00 a.m.

Cryoserver Security Appliance vulnerable to privilege escalation

2014-10-0700:00:00
www.kb.cert.org
27

6.8 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:S/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

0.4%

Overview

Cryoserver Security Appliance 7.3.x vulnerable to privilege escalation

Description

CWE-264: Permissions, Privileges, and Access Controls

Cryoserver Security Appliance 7.3.x does not properly assign permission to the /etc/init.d/cryoserver shell script and allows the default support account to modify it using the ``/bin/cryo-mgmt script.


Impact

An authenticated attacker may be able to gain root access to the appliance.


Solution

The CERT/CC is currently unaware of a practical solution to this problem.


Vendor Information

280844

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Cryoserver Unknown

Notified: August 18, 2014 Updated: August 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CVSS Metrics

Group Score Vector
Base 7.7 AV:A/AC:L/Au:S/C:C/I:C/A:C
Temporal 6.6 E:POC/RL:U/RC:UR
Environmental 4.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Chris Hernandez for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2014-4867
Date Public: 2014-10-07 Date First Published:

6.8 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:S/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

0.4%

Related for VU:280844