Improper access control in Debian Linux - CVE-2016-2860
Published: May 13, 2016 / Updated: August 9, 2020
Vulnerability identifier: #VU40289
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-2860
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Debian
Affected software:
Debian Linux
Debian Linux
Detailed vulnerability description
The vulnerability allows a remote authenticated user to manipulate data.
The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID.
How to mitigate CVE-2016-2860
Install update from vendor's website.
Sources
- http://git.openafs.org/?p=openafs.git;a=commitdiff;h=396240cf070a806b91fea81131d034e1399af1e0
- http://www.debian.org/security/2016/dsa-3569
- http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt
- https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html
- https://www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17