#VU32620 Permissions, Privileges, and Access Controls in lighttpd - CVE-2013-4559
Vulnerability identifier: #VU32620
Vulnerability risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
lighttpd
Server applications /
Web servers
Vendor: lighttpd
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.
Mitigation
Install update from vendor's website.
Vulnerable software versions
lighttpd: 1.4.1 - 1.4.32
External links
https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt
https://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html
https://marc.info/?l=bugtraq&m=141576815022399&w=2
https://secunia.com/advisories/55682
https://www.openwall.com/lists/oss-security/2013/11/12/4
https://kc.mcafee.com/corporate/index?page=content&id=SB10310
https://www.debian.org/security/2013/dsa-2795
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
