Executive Summary

Summary
Title LabTech contains privilege escalation vulnerability
Informations
Name VU#637068 First vendor Publication 2015-01-23
Vendor VU-CERT Last vendor Modification 2015-01-29
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score 6.8 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.1 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#637068

LabTech contains privilege escalation vulnerability

Original Release date: 23 Jan 2015 | Last revised: 29 Jan 2015

Overview

LabTech startup scripts and directories on Linux platforms are world-writeable and the scripts execute with root privileges.

Description

CWE-284: Improper Access Control

LabTech startup scripts and directories on Linux platforms are world-writeable and the scripts execute with root privileges.

Impact

A local, authenticated attacker may be able to gain root access to the system.

Solution

Apply an Update

This issue has been fixed in Labtech versions 100.237 and above, which is currently in beta at the time of this writing. Customers who wish to acquire this version must sign up for Labtech's Beta program. Customers who are not able to upgrade or acquire version 100.237 of the software should consider the following workaround:

Remove world-writable access

Users who are unable to upgrade can manually remove world-writable permissions to the Labtech directories and startups scripts in order to mitigate this vulnerability.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
LabTech SoftwareAffected-20 Jan 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.8AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal5.8E:POC/RL:U/RC:UR
Environmental5.8CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  • http://www.labtechsoftware.com/

Credit

Thanks to Iwan Boskamp for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

  • CVE IDs:CVE-2015-0926
  • Date Public:23 Jan 2015
  • Date First Published:23 Jan 2015
  • Date Last Updated:29 Jan 2015
  • Document Revision:23

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/637068

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-284 Access Control (Authorization) Issues

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2015-02-03 21:26:53
  • Multiple Updates
2015-02-01 09:25:38
  • Multiple Updates
2015-01-29 17:21:37
  • Multiple Updates
2015-01-23 17:21:43
  • First insertion