Executive Summary
Summary | |
---|---|
Title | LVM2 vulnerability |
Informations | |||
---|---|---|---|
Name | USN-1001-1 | First vendor Publication | 2010-10-06 |
Vendor | Ubuntu | Last vendor Modification | 2010-10-06 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 4.6 | Attack Range | Local |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: Ubuntu 8.04 LTS: Ubuntu 9.04: Ubuntu 9.10: Ubuntu 10.04 LTS: In general, a standard system update will make all the necessary changes. In a clustering environment, you need to restart clvmd after the update. Details follow: The cluster logical volume manager daemon (clvmd) in LVM2 did not correctly validate credentials. A local user could use this flaw to manipulate logical volumes without root privileges and cause a denial of service in the cluster. |
Original Source
Url : http://www.ubuntu.com/usn/USN-1001-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-287 | Improper Authentication |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12539 | |||
Oval ID: | oval:org.mitre.oval:def:12539 | ||
Title: | DSA-2095-1 lvm2 -- insecure communication protocol | ||
Description: | Alasdair Kergon discovered that the cluster logical volume manager daemon in lvm2, The Linux Logical Volume Manager, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service. For the stable distribution, this problem has been fixed in version 2.02.39-8 For the testing distribution, and the unstable distribution, this problem has been fixed in version 2.02.66-3 We recommend that you upgrade your lvm2 package. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2095-1 CVE-2010-2526 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | lvm2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:13264 | |||
Oval ID: | oval:org.mitre.oval:def:13264 | ||
Title: | USN-1001-1 -- lvm2 vulnerability | ||
Description: | The cluster logical volume manager daemon in LVM2 did not correctly validate credentials. A local user could use this flaw to manipulate logical volumes without root privileges and cause a denial of service in the cluster. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1001-1 CVE-2010-2526 | Version: | 5 |
Platform(s): | Ubuntu 8.04 Ubuntu 10.04 Ubuntu 9.10 Ubuntu 6.06 Ubuntu 9.04 | Product(s): | lvm2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22225 | |||
Oval ID: | oval:org.mitre.oval:def:22225 | ||
Title: | RHSA-2010:0567: lvm2-cluster security update (Moderate) | ||
Description: | The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0567-01 CESA-2010:0567 CVE-2010-2526 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | lvm2-cluster |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22792 | |||
Oval ID: | oval:org.mitre.oval:def:22792 | ||
Title: | ELSA-2010:0567: lvm2-cluster security update (Moderate) | ||
Description: | The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0567-01 CVE-2010-2526 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | lvm2-cluster |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27685 | |||
Oval ID: | oval:org.mitre.oval:def:27685 | ||
Title: | DEPRECATED: ELSA-2010-0567 -- lvm2-cluster security update (moderate) | ||
Description: | [2.02.56-el5_5.4] - CVE-2010-2526: Fix insecurity when communicating between lvm2 and clvmd. Resolves: #616044 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010-0567 CVE-2010-2526 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | lvm2-cluster |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for lvm2-cluster CESA-2010:0567 centos5 i386 File : nvt/gb_CESA-2010_0567_lvm2-cluster_centos5_i386.nasl |
2010-12-02 | Name : Fedora Update for lvm2 FEDORA-2010-13239 File : nvt/gb_fedora_2010_13239_lvm2_fc14.nasl |
2010-10-19 | Name : Ubuntu Update for lvm2 vulnerability USN-1001-1 File : nvt/gb_ubuntu_USN_1001_1.nasl |
2010-10-10 | Name : Debian Security Advisory DSA 2095-1 (lvm2) File : nvt/deb_2095_1.nasl |
2010-10-01 | Name : Fedora Update for lvm2 FEDORA-2010-12250 File : nvt/gb_fedora_2010_12250_lvm2_fc12.nasl |
2010-09-14 | Name : Fedora Update for lvm2 FEDORA-2010-13708 File : nvt/gb_fedora_2010_13708_lvm2_fc13.nasl |
2010-09-14 | Name : Fedora Update for udisks FEDORA-2010-13708 File : nvt/gb_fedora_2010_13708_udisks_fc13.nasl |
2010-09-07 | Name : Mandriva Update for lvm2 MDVSA-2010:171 (lvm2) File : nvt/gb_mandriva_MDVSA_2010_171.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
66753 | LVM2 clvmd Abstract Socket Credential Check Weakness Local Privilege Escalation |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-12-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201412-09.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2010-0567.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2010-0567.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100728_lvm2_cluster_lvm2_for_SL5.nasl - Type : ACT_GATHER_INFO |
2011-01-21 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_lvm2-clvm2-100820.nasl - Type : ACT_GATHER_INFO |
2010-12-02 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_lvm2-100730.nasl - Type : ACT_GATHER_INFO |
2010-10-07 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1001-1.nasl - Type : ACT_GATHER_INFO |
2010-09-27 | Name : The remote Fedora host is missing a security update. File : fedora_2010-12250.nasl - Type : ACT_GATHER_INFO |
2010-09-16 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_lvm2-100812.nasl - Type : ACT_GATHER_INFO |
2010-09-12 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2010-13708.nasl - Type : ACT_GATHER_INFO |
2010-09-07 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-171.nasl - Type : ACT_GATHER_INFO |
2010-09-02 | Name : The remote Fedora host is missing a security update. File : fedora_2010-13239.nasl - Type : ACT_GATHER_INFO |
2010-08-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2095.nasl - Type : ACT_GATHER_INFO |
2010-07-30 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2010-0567.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:57:57 |
|