Executive Summary
Summary | |
---|---|
Title | tog-pegasus security update |
Informations | |||
---|---|---|---|
Name | RHSA-2008:1001 | First vendor Publication | 2008-11-25 |
Vendor | RedHat | Last vendor Modification | 2008-11-25 |
Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated tog-pegasus packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: The tog-pegasus packages provide OpenPegasus Web-Based Enterprise Management (WBEM) services. WBEM is a platform and resource independent Distributed Management Task Force (DMTF) standard that defines a common information model and communication protocol for monitoring and controlling resources. Red Hat defines additional security enhancements for OpenGroup Pegasus WBEM services in addition to those defined by the upstream OpenGroup Pegasus release. For details regarding these enhancements, refer to the file "README.RedHat.Security", included in the Red Hat tog-pegasus package. After re-basing to version 2.7.0 of the OpenGroup Pegasus code, these additional security enhancements were no longer being applied. As a consequence, access to OpenPegasus WBEM services was not restricted to the dedicated users as described in README.RedHat.Security. An attacker able to authenticate using a valid user account could use this flaw to send requests to WBEM services. (CVE-2008-4313) Note: default SELinux policy prevents tog-pegasus from modifying system files. This flaw's impact depends on whether or not tog-pegasus is confined by SELinux, and on any additional CMPI providers installed and enabled on a particular system. Failed authentication attempts against the OpenPegasus CIM server were not logged to the system log as documented in README.RedHat.Security. An attacker could use this flaw to perform password guessing attacks against a user account without leaving traces in the system log. (CVE-2008-4315) All tog-pegasus users are advised to upgrade to these updated packages, which contain patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 459217 - CVE-2008-4313 tog-pegasus: WBEM services access not restricted to dedicated user after 2.7.0 rebase 472017 - CVE-2008-4315 tog-pegasus: failed authentication attempts not logged via PAM |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2008-1001.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:22186 | |||
Oval ID: | oval:org.mitre.oval:def:22186 | ||
Title: | ELSA-2008:1001: tog-pegasus security update (Important) | ||
Description: | tog-pegasus in OpenGroup Pegasus 2.7.0 on Red Hat Enterprise Linux (RHEL) 5, Fedora 9, and Fedora 10 does not log failed authentication attempts to the OpenPegasus CIM server, which makes it easier for remote attackers to avoid detection of password guessing attacks. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2008:1001-01 CVE-2008-4313 CVE-2008-4315 | Version: | 13 |
Platform(s): | Oracle Linux 5 | Product(s): | tog-pegasus |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:29308 | |||
Oval ID: | oval:org.mitre.oval:def:29308 | ||
Title: | RHSA-2008:1001 -- tog-pegasus security update (Important) | ||
Description: | Updated tog-pegasus packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The tog-pegasus packages provide OpenPegasus Web-Based Enterprise Management (WBEM) services. WBEM is a platform and resource independent Distributed Management Task Force (DMTF) standard that defines a common information model and communication protocol for monitoring and controlling resources. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2008:1001 CESA-2008:1001-CentOS 5 CVE-2008-4313 CVE-2008-4315 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | tog-pegasus |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:9431 | |||
Oval ID: | oval:org.mitre.oval:def:9431 | ||
Title: | tog-pegasus in OpenGroup Pegasus 2.7.0 on Red Hat Enterprise Linux (RHEL) 5, Fedora 9, and Fedora 10 does not log failed authentication attempts to the OpenPegasus CIM server, which makes it easier for remote attackers to avoid detection of password guessing attacks. | ||
Description: | tog-pegasus in OpenGroup Pegasus 2.7.0 on Red Hat Enterprise Linux (RHEL) 5, Fedora 9, and Fedora 10 does not log failed authentication attempts to the OpenPegasus CIM server, which makes it easier for remote attackers to avoid detection of password guessing attacks. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-4315 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9556 | |||
Oval ID: | oval:org.mitre.oval:def:9556 | ||
Title: | A certain Red Hat patch for tog-pegasus in OpenGroup Pegasus 2.7.0 does not properly configure the PAM tty name, which allows remote authenticated users to bypass intended access restrictions and send requests to OpenPegasus WBEM services. | ||
Description: | A certain Red Hat patch for tog-pegasus in OpenGroup Pegasus 2.7.0 does not properly configure the PAM tty name, which allows remote authenticated users to bypass intended access restrictions and send requests to OpenPegasus WBEM services. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-4313 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Os | 1 | |
Os | 1 |
OpenVAS Exploits
Date | Description |
---|---|
2009-03-06 | Name : RedHat Update for tog-pegasus RHSA-2008:1001-01 File : nvt/gb_RHSA-2008_1001-01_tog-pegasus.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
50278 | OpenPegasus CIM server (tog-pegasus) on Red Hat Linux Failed Authentication L... |
50277 | OpenPegasus WBEM Services (tog-pegasus) on Red Hat Linux Access Control Rever... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2008-1001.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20081125_tog_pegasus_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-1001.nasl - Type : ACT_GATHER_INFO |
2008-11-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-1001.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:52:05 |
|