Executive Summary
Summary | |
---|---|
Title | rtkit security update |
Informations | |||
---|---|---|---|
Name | RHSA-2013:1282 | First vendor Publication | 2013-09-24 |
Vendor | RedHat | Last vendor Modification | 2013-09-24 |
Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 4.6 | Attack Range | Local |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: An updated rtkit package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: RealtimeKit is a D-Bus system service that changes the scheduling policy of user processes/threads to SCHED_RR (that is, realtime scheduling mode) on request. It is intended to be used as a secure mechanism to allow real-time scheduling to be used by normal user processes. It was found that RealtimeKit communicated with PolicyKit for authorization using a D-Bus API that is vulnerable to a race condition. This could have led to intended PolicyKit authorizations being bypassed. This update modifies RealtimeKit to communicate with PolicyKit via a different API that is not vulnerable to the race condition. (CVE-2013-4326) All rtkit users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1006677 - CVE-2013-4326 rtkit: insecure calling of polkit |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2013-1282.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:19317 | |||
Oval ID: | oval:org.mitre.oval:def:19317 | ||
Title: | USN-1959-1 -- rtkit vulnerability | ||
Description: | RealtimeKit could be tricked into bypassing polkit authorizations. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1959-1 CVE-2013-4326 | Version: | 5 |
Platform(s): | Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 | Product(s): | rtkit |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21125 | |||
Oval ID: | oval:org.mitre.oval:def:21125 | ||
Title: | RHSA-2013:1282: rtkit security update (Important) | ||
Description: | RealtimeKit (aka rtkit) 0.5 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1282-00 CESA-2013:1282 CVE-2013-4326 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | rtkit |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23490 | |||
Oval ID: | oval:org.mitre.oval:def:23490 | ||
Title: | ELSA-2013:1282: rtkit security update (Important) | ||
Description: | RealtimeKit (aka rtkit) 0.5 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1282-00 CVE-2013-4326 | Version: | 6 |
Platform(s): | Oracle Linux 6 | Product(s): | rtkit |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26840 | |||
Oval ID: | oval:org.mitre.oval:def:26840 | ||
Title: | DEPRECATED: ELSA-2013-1282 -- rtkit security update (important) | ||
Description: | [0.5-2] - CVE-2013-4326 Resolves: #1007174 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-1282 CVE-2013-4326 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | rtkit |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 | |
Os | 1 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-755.nasl - Type : ACT_GATHER_INFO |
2013-10-13 | Name : The remote Fedora host is missing a security update. File : fedora_2013-18442.nasl - Type : ACT_GATHER_INFO |
2013-10-10 | Name : The remote Fedora host is missing a security update. File : fedora_2013-17583.nasl - Type : ACT_GATHER_INFO |
2013-09-28 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-243.nasl - Type : ACT_GATHER_INFO |
2013-09-27 | Name : The remote Fedora host is missing a security update. File : fedora_2013-17529.nasl - Type : ACT_GATHER_INFO |
2013-09-25 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2013-1282.nasl - Type : ACT_GATHER_INFO |
2013-09-25 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2013-1282.nasl - Type : ACT_GATHER_INFO |
2013-09-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1282.nasl - Type : ACT_GATHER_INFO |
2013-09-25 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130924_rtkit_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2013-09-19 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1959-1.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:57:26 |
|
2013-10-04 21:26:33 |
|
2013-10-04 13:25:18 |
|
2013-09-24 21:19:06 |
|