CVE-2004-0750
CVSS7.5
发布时间 :2004-10-20 00:00:00
修订时间 :2010-08-21 00:21:12
NMCOS    

[原文]Unknown vulnerability in redhat-config-nfs before 1.0.13, when shares are exported to multiple hosts, can produce incorrect permissions and prevent the all_squash option from being applied.


[CNNVD]Red Hat redhat-config-nfs Exported共享配置漏洞(CNNVD-200410-053)

        
        Red Hat是一款开放源代码Linux操作系统,redhat-config-nfs用于对NFS共享进行建立,修改,删除操作。
        Red Hat redhat-config-nfs配置存在问题,可导致部分选项失效,管理员忽视部分安全威胁。
        redhat-config-nfs的一个漏洞当导出(export)多个主机时可使部分导出共享权限不正确。这是由于"all_squash"选项没有正确实施在所有列表主机上造成的。这个漏洞可导致管理员忽视部分安全威胁。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:enterprise_linux_desktop:3.0Red Hat Desktop 3.0
cpe:/o:redhat:enterprise_linux:3.0::workstation
cpe:/o:redhat:enterprise_linux:3.0::enterprise_server
cpe:/o:redhat:enterprise_linux:3.0::advanced_servers

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10696Unknown vulnerability in redhat-config-nfs before 1.0.13, when shares are exported to multiple hosts, can produce incorrect permissions and ...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0750
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0750
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-053
(官方数据源) CNNVD

- 其它链接及资源

http://www.redhat.com/support/errata/RHSA-2004-434.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:434
http://xforce.iss.net/xforce/xfdb/17478
(UNKNOWN)  XF  red-hat-permission-gain-privileges(17478)
http://www.securityfocus.com/bid/11240
(UNKNOWN)  BID  11240
http://www.securityfocus.com/archive/1/archive/1/419762/100/0/threaded
(UNKNOWN)  FEDORA  FLSA:152787

- 漏洞信息

Red Hat redhat-config-nfs Exported共享配置漏洞
高危 配置错误
2004-10-20 00:00:00 2005-10-20 00:00:00
远程  
        
        Red Hat是一款开放源代码Linux操作系统,redhat-config-nfs用于对NFS共享进行建立,修改,删除操作。
        Red Hat redhat-config-nfs配置存在问题,可导致部分选项失效,管理员忽视部分安全威胁。
        redhat-config-nfs的一个漏洞当导出(export)多个主机时可使部分导出共享权限不正确。这是由于"all_squash"选项没有正确实施在所有列表主机上造成的。这个漏洞可导致管理员忽视部分安全威胁。
        

- 公告与补丁

        厂商补丁:
        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2004:434-01)以及相应补丁:
        RHSA-2004:434-01:Updated redhat-config-nfs package resolves several security issues
        链接:
        http://www.auscert.org.au/render.html?it=4411

        补丁下载:
        Red Hat Enterprise Linux AS version 3:
        SRPMS:
        ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/redhat-config-nfs-1.0.13-6.src.rpm
        8ad0200a16439ba6341703e277b6edc0 redhat-config-nfs-1.0.13-6.src.rpm
        noarch:
        ddea963341fba763c3bd428f16c8fede redhat-config-nfs-1.0.13-6.noarch.rpm
        Red Hat Desktop version 3:
        SRPMS:
        ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/redhat-config-nfs-1.0.13-6.src.rpm
        8ad0200a16439ba6341703e277b6edc0 redhat-config-nfs-1.0.13-6.src.rpm
        noarch:
        ddea963341fba763c3bd428f16c8fede redhat-config-nfs-1.0.13-6.noarch.rpm
        Red Hat Enterprise Linux ES version 3:
        SRPMS:
        ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/redhat-config-nfs-1.0.13-6.src.rpm
        8ad0200a16439ba6341703e277b6edc0 redhat-config-nfs-1.0.13-6.src.rpm
        noarch:
        ddea963341fba763c3bd428f16c8fede redhat-config-nfs-1.0.13-6.noarch.rpm
        Red Hat Enterprise Linux WS version 3:
        SRPMS:
        ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/redhat-config-nfs-1.0.13-6.src.rpm
        8ad0200a16439ba6341703e277b6edc0 redhat-config-nfs-1.0.13-6.src.rpm
        noarch:
        ddea963341fba763c3bd428f16c8fede redhat-config-nfs-1.0.13-6.noarch.rpm
        可使用下列命令安装补丁:
        rpm -Fvh [文件名]

- 漏洞信息

10219
Red Hat redhat-config-nfs Incorrect Share Permission Weakness
Local Access Required Misconfiguration
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

redhat-config-nfs contains a flaw that may allow a malicious user to gain access to unauthorized NFS shares. The issue is triggered when exporting shares to multiple hosts. This could cause an option such as "all_squash" to not be applied to all of the listed hosts. This flaw may lead to a loss of confidentiality.

- 时间线

2004-09-22 Unknow
Unknow Unknow

- 解决方案

Upgrade to version redhat-config-nfs-1.0.13-6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. It is also advised for users to check their NFS shares directly or via the /etc/exports file for any incorrectly set options.

- 相关参考

- 漏洞作者

- 漏洞信息

Red Hat redhat-config-nfs Exported Shares Configuration Vulnerability
Configuration Error 11240
Yes No
2004-09-23 12:00:00 2006-05-08 11:44:00
John Buswell is credited with the discovery of this issue.

- 受影响的程序版本

RedHat Linux 9.0 i386
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 3
RedHat Desktop 3.0
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 3

- 漏洞讨论

Red Hat redhat-config-nfs is affected by a vulnerability when exporting share configurations. The application fails to apply proper settings to the affected network file system (NFS) shares.

This issue would cause some NFS option, such as 'all_squash', to fail to be applied, potentially giving administrators a false sense of security.

- 漏洞利用

No exploit is required to leverage this issue.

- 解决方案


Please see the referenced advisories for additional information.


Red Hat Fedora Core2

RedHat Linux 9.0 i386

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站