util-linux-ng login data manipulation
| utillinuxng-login-data-manipulation (41987) |  Low Risk |
Description:
util-linux-ng could allow a remote attacker to manipulate data, caused by an argument injection vulnerability in login-utils/login.c. By editing portions of log events, a remote attacker could exploit this vulnerability to hide activities and possibly insert arbitrary data into the audit log.
*CVSS:
| Base Score: | 5 |
| Access Vector: | Network |
| Access Complexity: | Low |
| Authentication: | None |
| Confidentiality Impact: | None |
| Integrity Impact: | Partial |
| Availability Impact: | None |
| Temporal Score: | 3.7 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Access
Remedy:
Upgrade to the latest version of util-linux-ng (2.13.1.1 or later), available from the util-linux Web page. See References.
References:
- Linux Kernel GIT Repository: login: audit log injection attack via login.
- Linux Kernel GIT Repository: login: audit log injection attack via login.
- util-linux Web page: util-linux - Default branch.
- ASA-2009-228: util-linux security and bug fix update (RHSA-2009-0981)
- BID-28983: util-linux-ng 'login' Remote Log Injection Weakness
- CVE-2008-1926: Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an addr= statement to the login name, aka audit log injection.
- MDVSA-2008:114: Updated util-linux-ng packages fix log injection issue
- RHSA-2009-0981: Low: util-linux security and bug fix update
- SA30014: util-linux-ng "login" Audit Log Injection Weakness
- SECTRACK ID: 1022256: Util-linux Input Validation Flaw Lets Remote Users Inject Data into the Log Files
- VUPEN/ADV-2008-1392: util-linux-ng logaudit() Audit Logs Injection Security Weakness
Platforms Affected:
- Kernel util-linux 2.11h
- Kernel util-linux 2.11i
- Kernel util-linux 2.11k
- Kernel util-linux 2.11l
- Kernel util-linux 2.12a
- Kernel util-linux 2.12r
- Kernel util-linux 2.13-pre1
- Kernel util-linux 2.13-pre2
- Kernel util-linux 2.14
- MandrakeSoft Mandrake Linux 2008.0
- MandrakeSoft Mandrake Linux 2008.0 X86_64
- MandrakeSoft Mandrake Linux 2008.1
- MandrakeSoft Mandrake Linux 2008.1 X86_64
- RedHat Enterprise Linux 4 ES
- RedHat Enterprise Linux 4 AS
- RedHat Enterprise Linux 4 WS
- RedHat Enterprise Linux 4 Desktop
Reported:
Apr 21, 2008
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.