Gentoo update for targetcli-fb

Published: 2020-08-31

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2020-10699 CVE-2020-13867
CWE-ID	CWE-264 CWE-276
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Gentoo Linux Operating systems & Components / Operating system
Vendor	Gentoo

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU27047

Risk: Low

CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-10699

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper privilege management the socket used by targetclid was world-writable. A local user can use this flaw to modify the iSCSI configuration and gain elevated privileges on the target system.

Mitigation

Update the affected packages.
sys-block/targetcli-fb to version: 2.1.53

Vulnerable software versions

Gentoo Linux: All versions

External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202008-22

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Incorrect default permissions

EUVDB-ID: #VU29037

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-13867

CWE-ID: CWE-276 - Incorrect Default Permissions