SB2016051316 - Improper access control in Debian Linux
Published: May 13, 2016 Updated: August 9, 2020
Security Bulletin ID
SB2016051316
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper access control (CVE-ID: CVE-2016-2860)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote authenticated user to manipulate data.
The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID.
Remediation
Install update from vendor's website.
References
- http://git.openafs.org/?p=openafs.git;a=commitdiff;h=396240cf070a806b91fea81131d034e1399af1e0
- http://www.debian.org/security/2016/dsa-3569
- http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt
- https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html
- https://www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17