SB2020090112 - Amazon Linux AMI update for lynis

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020090112

SB2020090112 - Amazon Linux AMI update for lynis

Published: September 1, 2020

Security Bulletin ID SB2020090112
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Local access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2019-13033)

The vulnerability allows a local authenticated user to gain access to sensitive information.

In CISOfy Lynis 2.x through 2.7.5, the license key can be obtained by looking at the process list when a data upload is being performed. This license can be used to upload data to a central Lynis server. Although no data can be extracted by knowing the license key, it may be possible to upload the data of additional scans.


2) Improper access control (CVE-ID: CVE-2020-13882)

The vulnerability allows a local user to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions due to a TOCTOU race condition. The routine to check the log and report file permissions was not working as intended and could be bypassed locally. Because of the race, an unprivileged attacker can set up a log and report file, and control that up to the point where the specific routine is doing its check. After that, the file can be removed, recreated, and used for additional attacks.


Remediation

Install update from vendor's website.

References