Executive Summary
| Informations | |||
|---|---|---|---|
| Name | MDVSA-2009:253 | First vendor Publication | 2009-10-01 |
| Vendor | Mandriva | Last vendor Modification | 2009-10-01 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:S/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 8.5 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Medium |
| Cvss Expoit Score | 6.8 | Authentication | Requires single instance |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A vulnerability was discovered and corrected in backuppc: CgiUserConfigEdit in BackupPC 3.1.0, when SSH keys and Rsync are in use in a multi-user environment, does not restrict users from the ClientNameAlias function, which allows remote authenticated users to read and write sensitive files by modifying ClientNameAlias to match another system, then initiating a backup or restore (CVE-2009-3369). This update provides a fix for this vulnerability. |
Original Source
| Url : http://www.mandriva.com/security/advisories?name=MDVSA-2009:253 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13557 | |||
| Oval ID: | oval:org.mitre.oval:def:13557 | ||
| Title: | USN-843-1 -- backuppc vulnerability | ||
| Description: | It was discovered that BackupPC did not restrict normal users from setting the ClientNameAlias parameter. An authenticated user could exploit this to gain access to unauthorized hosts. This update fixed the issue by preventing normal users from modifying the ClientNameAlias configuration parameter. | ||
| Family: | unix | Class: | patch |
| Reference(s): | USN-843-1 CVE-2009-3369 | Version: | 5 |
| Platform(s): | Ubuntu 8.10 Ubuntu 8.04 Ubuntu 9.04 | Product(s): | backuppc |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-11-11 | Name : Fedora Core 10 FEDORA-2009-9973 (BackupPC) File : nvt/fcore_2009_9973.nasl |
| 2009-11-11 | Name : Fedora Core 11 FEDORA-2009-9982 (BackupPC) File : nvt/fcore_2009_9982.nasl |
| 2009-10-13 | Name : Ubuntu USN-843-1 (backuppc) File : nvt/ubuntu_843_1.nasl |
| 2009-10-08 | Name : BackupPC 'ClientNameAlias' Function Security Bypass Vulnerability File : nvt/gb_backuppc_clientnamealias_sec_bypass_vuln.nasl |
| 2009-10-06 | Name : Mandrake Security Advisory MDVSA-2009:253 (backuppc) File : nvt/mdksa_2009_253.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 57236 | BackupPC CgiUserConfigEdit ClientNameAlias SSH Rsync Backup Security Restrict... |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2009-10-28 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9973.nasl - Type : ACT_GATHER_INFO |
| 2009-10-28 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9982.nasl - Type : ACT_GATHER_INFO |
| 2009-10-07 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-843-1.nasl - Type : ACT_GATHER_INFO |
