Executive Summary

Summary
Title busybox security and bug fix update
Informations
Name RHSA-2013:1732 First vendor Publication 2013-11-21
Vendor RedHat Last vendor Modification 2013-11-21
Severity (Vendor) Low Revision 02

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated busybox packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

3. Description:

BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries.

It was found that the mdev BusyBox utility could create certain directories within /dev with world-writable permissions. A local unprivileged user could use this flaw to manipulate portions of the /dev directory tree. (CVE-2013-1813)

This update also fixes the following bugs:

* Previously, due to a too eager string size optimization on the IBM System z architecture, the "wc" BusyBox command failed after processing standard input with the following error:

wc: : No such file or directory

This bug was fixed by disabling the string size optimization and the "wc" command works properly on IBM System z architectures. (BZ#820097)

* Prior to this update, the "mknod" command was unable to create device nodes with a major or minor number larger than 255. Consequently, the kdump utility failed to handle such a device. The underlying source code has been modified, and it is now possible to use the "mknod" command to create device nodes with a major or minor number larger than 255. (BZ#859817)

* If a network installation from an NFS server was selected, the "mount" command used the UDP protocol by default. If only TCP mounts were supported by the server, this led to a failure of the mount command. As a result, Anaconda could not continue with the installation. This bug is now fixed and NFS mount operations default to the TCP protocol. (BZ#855832)

All busybox users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

820097 - s390x: wc: : No such file or directory 919608 - CVE-2013-1813 busybox: insecure directory permissions in /dev

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2013-1732.html

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:26241
 
Oval ID: oval:org.mitre.oval:def:26241
Title: RHSA-2013:1732: busybox security and bug fix update (Low)
Description: util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors.
Family: unix Class: patch
Reference(s): RHSA-2013:1732-03
CESA-2013:1732
CVE-2013-1813
Version: 3
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): busybox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27506
 
Oval ID: oval:org.mitre.oval:def:27506
Title: ELSA-2013-1732 -- busybox security and bug fix update (low)
Description: [1:1.15.1-20] - Resolves: #855832 'Installation from NFS: That directory could not be mounted from the server' by switching NFS mount default from UDP to TCP. There was another place (in uclibc this time) which used UDP.
Family: unix Class: patch
Reference(s): ELSA-2013-1732
CVE-2013-1813
Version: 3
Platform(s): Oracle Linux 6
Product(s): busybox
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 113
Os 1
Os 1

Nessus® Vulnerability Scanner

Date Description
2014-11-12 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-1732.nasl - Type : ACT_GATHER_INFO
2013-11-27 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-1732.nasl - Type : ACT_GATHER_INFO
2013-11-21 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1732.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2014-11-13 13:27:22
  • Multiple Updates
2014-02-17 11:57:39
  • Multiple Updates
2013-11-25 21:23:06
  • Multiple Updates
2013-11-23 17:22:46
  • Multiple Updates
2013-11-21 09:18:26
  • First insertion