SB2020072877 - Improper Privilege Management in hylafaxplus (Alpine package)
Published: July 28, 2020
Security Bulletin ID
SB2020072877
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Privilege Management (CVE-ID: CVE-2020-15396)
The vulnerability allows a local user to escalate privileges on the system.
In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utility calls chown on files in user-owned directories. By winning a race, a local attacker could use this to escalate his privileges to root.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=1b1d9aed72f7aacb92529cd86472da2de9dee79c
- https://git.alpinelinux.org/aports/commit/?id=2eb46eec7d4837f046d433bb8c9b2740a96297b5
- https://git.alpinelinux.org/aports/commit/?id=485b9653ee6333bca062eecf52687bffce8814f5
- https://git.alpinelinux.org/aports/commit/?id=5c0fee19a6ea76f5b2b6e1ccaa3a21340271453e
- https://git.alpinelinux.org/aports/commit/?id=7f053636d6a5e50dfda6224f8e621678e9a0e026