SB2005122301 - Missing authorization in Linux kernel
Published: December 23, 2005 Updated: June 20, 2024
Security Bulletin ID
SB2005122301
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Missing authorization (CVE-ID: CVE-2005-3623)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
nfs2acl.c in the Linux kernel 2.6.14.4 does not check for MAY_SATTR privilege before setting access controls (ACL) on files on exported NFS filesystems, which allows remote attackers to bypass ACLs for readonly mounted NFS filesystems.
Remediation
Install update from vendor's website.
References
- http://lkml.org/lkml/2005/12/23/171
- http://www.novell.com/linux/security/advisories/2006_06_kernel.html
- http://secunia.com/advisories/18788
- http://lists.suse.de/archive/suse-security-announce/2006-Feb/0010.html
- http://secunia.com/advisories/19038
- http://www.securityfocus.com/bid/16570
- http://www.redhat.com/support/errata/RHSA-2006-0575.html
- http://secunia.com/advisories/21465
- http://support.avaya.com/elmodocs2/security/ASA-2006-200.htm
- http://secunia.com/advisories/22417
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11707