Executive Summary

Informations
Name MDVSA-2010:171 First vendor Publication 2010-09-06
Vendor Mandriva Last vendor Modification 2010-09-06
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 4.6 Attack Range Local
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability has been found and corrected in lvm2:

The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands (CVE-2010-2526).

The updated packages have been patched to correct this issue.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2010:171

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-287 Improper Authentication

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12539
 
Oval ID: oval:org.mitre.oval:def:12539
Title: DSA-2095-1 lvm2 -- insecure communication protocol
Description: Alasdair Kergon discovered that the cluster logical volume manager daemon in lvm2, The Linux Logical Volume Manager, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service. For the stable distribution, this problem has been fixed in version 2.02.39-8 For the testing distribution, and the unstable distribution, this problem has been fixed in version 2.02.66-3 We recommend that you upgrade your lvm2 package.
Family: unix Class: patch
Reference(s): DSA-2095-1
CVE-2010-2526
 Version: 5
Platform(s): Debian GNU/Linux 5.0
 Product(s): lvm2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13264
 
Oval ID: oval:org.mitre.oval:def:13264
Title: USN-1001-1 -- lvm2 vulnerability
Description: The cluster logical volume manager daemon in LVM2 did not correctly validate credentials. A local user could use this flaw to manipulate logical volumes without root privileges and cause a denial of service in the cluster.
Family: unix Class: patch
Reference(s): USN-1001-1
CVE-2010-2526
 Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 10.04
Ubuntu 9.10
Ubuntu 6.06
Ubuntu 9.04
 Product(s): lvm2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22225
 
Oval ID: oval:org.mitre.oval:def:22225
Title: RHSA-2010:0567: lvm2-cluster security update (Moderate)
Description: The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands.
Family: unix Class: patch
Reference(s): RHSA-2010:0567-01
CESA-2010:0567
CVE-2010-2526
 Version: 4
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
 Product(s): lvm2-cluster
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22792
 
Oval ID: oval:org.mitre.oval:def:22792
Title: ELSA-2010:0567: lvm2-cluster security update (Moderate)
Description: The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands.
Family: unix Class: patch
Reference(s): ELSA-2010:0567-01
CVE-2010-2526
 Version: 6
Platform(s): Oracle Linux 5
 Product(s): lvm2-cluster
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27685
 
Oval ID: oval:org.mitre.oval:def:27685
Title: DEPRECATED: ELSA-2010-0567 -- lvm2-cluster security update (moderate)
Description: [2.02.56-el5_5.4] - CVE-2010-2526: Fix insecurity when communicating between lvm2 and clvmd. Resolves: #616044
Family: unix Class: patch
Reference(s): ELSA-2010-0567
CVE-2010-2526
 Version: 4
Platform(s): Oracle Linux 5
 Product(s): lvm2-cluster
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 22

OpenVAS Exploits

Date Description
2011-08-09 Name : CentOS Update for lvm2-cluster CESA-2010:0567 centos5 i386
File : nvt/gb_CESA-2010_0567_lvm2-cluster_centos5_i386.nasl
2010-12-02 Name : Fedora Update for lvm2 FEDORA-2010-13239
File : nvt/gb_fedora_2010_13239_lvm2_fc14.nasl
2010-10-19 Name : Ubuntu Update for lvm2 vulnerability USN-1001-1
File : nvt/gb_ubuntu_USN_1001_1.nasl
2010-10-10 Name : Debian Security Advisory DSA 2095-1 (lvm2)
File : nvt/deb_2095_1.nasl
2010-10-01 Name : Fedora Update for lvm2 FEDORA-2010-12250
File : nvt/gb_fedora_2010_12250_lvm2_fc12.nasl
2010-09-14 Name : Fedora Update for lvm2 FEDORA-2010-13708
File : nvt/gb_fedora_2010_13708_lvm2_fc13.nasl
2010-09-14 Name : Fedora Update for udisks FEDORA-2010-13708
File : nvt/gb_fedora_2010_13708_udisks_fc13.nasl
2010-09-07 Name : Mandriva Update for lvm2 MDVSA-2010:171 (lvm2)
File : nvt/gb_mandriva_MDVSA_2010_171.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
66753 LVM2 clvmd Abstract Socket Credential Check Weakness Local Privilege Escalation

Nessus® Vulnerability Scanner

Date Description
2014-12-15 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201412-09.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing a security update.
File : oraclelinux_ELSA-2010-0567.nasl - Type : ACT_GATHER_INFO
2013-01-24 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2010-0567.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100728_lvm2_cluster_lvm2_for_SL5.nasl - Type : ACT_GATHER_INFO
2011-01-21 Name : The remote SuSE 11 host is missing a security update.
File : suse_11_lvm2-clvm2-100820.nasl - Type : ACT_GATHER_INFO
2010-12-02 Name : The remote SuSE 11 host is missing a security update.
File : suse_11_lvm2-100730.nasl - Type : ACT_GATHER_INFO
2010-10-07 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1001-1.nasl - Type : ACT_GATHER_INFO
2010-09-27 Name : The remote Fedora host is missing a security update.
File : fedora_2010-12250.nasl - Type : ACT_GATHER_INFO
2010-09-16 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_lvm2-100812.nasl - Type : ACT_GATHER_INFO
2010-09-12 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2010-13708.nasl - Type : ACT_GATHER_INFO
2010-09-07 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2010-171.nasl - Type : ACT_GATHER_INFO
2010-09-02 Name : The remote Fedora host is missing a security update.
File : fedora_2010-13239.nasl - Type : ACT_GATHER_INFO
2010-08-27 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2095.nasl - Type : ACT_GATHER_INFO
2010-07-30 Name : The remote CentOS host is missing a security update.
File : centos_RHSA-2010-0567.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:41:42
  • Multiple Updates