Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-200606-07
HistoryJun 09, 2006 - 12:00 a.m.

Vixie Cron: Privilege Escalation

2006-06-0900:00:00
Gentoo Foundation
security.gentoo.org
7

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

47.9%

JSON

Background

Vixie Cron is a command scheduler with extended syntax over cron.

Description

Roman Veretelnikov discovered that Vixie Cron fails to properly check whether it can drop privileges accordingly if setuid() in do_command.c fails due to a user exceeding assigned resource limits.

Impact

Local users can execute code with root privileges by deliberately exceeding their assigned resource limits and then starting a command through Vixie Cron. This requires resource limits to be in place on the machine.

Workaround

There is no known workaround at this time.

Resolution

All Vixie Cron users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-process/vixie-cron-4.1-r9"
OSVersionArchitecturePackageVersionFilename
Gentooanyallsys-process/vixie-cron< 4.1-r9UNKNOWN

Related

nessus 6
centos 1
suse 1
ubuntucve 1
cve 1
debiancve 1
myhack58 1
redhat 1
openvas 4
prion 1
ubuntu 1
nessus
nessus
GLSA-200606-07 : Vixie Cron: Privilege Escalation
2006-06-11 00:00:00
Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : cron vulnerability (USN-778-1)
2009-06-02 00:00:00
SUSE-SA:2006:027: cron
2006-06-01 00:00:00
centos
centos
vixie security update
2006-07-12 18:56:16
suse
suse
local privilege escalation in cron
2006-05-31 13:32:34
ubuntucve
ubuntucve
CVE-2006-2607
2006-05-25 00:00:00
cve
cve
CVE-2006-2607
2006-05-25 20:02:00
debiancve
debiancve
CVE-2006-2607
2006-05-25 20:02:00
myhack58
myhack58
Setuid() - nproc limit the type of vulnerability of in-depth analysis-vulnerability warning-the black bar safety net
2006-08-04 00:00:00
redhat
redhat
(RHSA-2006:0539) vixie-cron security update
2006-07-12 00:00:00
openvas
openvas
Gentoo Security Advisory GLSA 200606-07 (vixie-cron)
2008-09-24 00:00:00
Ubuntu: Security Advisory (USN-778-1)
2009-06-05 00:00:00
Gentoo Security Advisory GLSA 200606-07 (vixie-cron)
2008-09-24 00:00:00
prion
prion
Deserialization of untrusted data
2006-05-25 20:02:00
ubuntu
ubuntu
cron vulnerability
2009-06-01 00:00:00

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

47.9%

JSON
Related for GLSA-200606-07
nessus6centos1suse1ubuntucve1cve1debiancve1myhack581redhat1openvas4prion1ubuntu1