U radu CIFS poslužitelja (Samba) uočena su dva sigurnosna nedostatka. Udaljenim napadačima omogućuju dobivanje većih ovlasti i pokretanje proizvoljnog programskog koda.
Paket:
Samba 3.x
Operacijski sustavi:
HP-UX 11.x
Kritičnost:
8.7
Problem:
pogreška u programskoj komponenti
Iskorištavanje:
udaljeno
Posljedica:
dobivanje većih privilegija, proizvoljno izvršavanje programskog koda
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2012-1182, CVE-2012-2111
Izvorni ID preporuke:
HPSBUX02789
Izvor:
Hewlett Packard
Problem:
Nedostaci su posljedica nepravilnosti u generatoru RPC koda te CreateAccount, OpenAccount, AddAccountRights i RemoveAccountRights LSA RPC procedurama.
Posljedica:
Napadači ih mogu iskoristiti za stjecanje povećanih ovlasti i pokretanje proizvoljnog programskog koda.
Rješenje:
Svim se korisnicima preporuča instalacija odgovarajuće nadogradnje.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03365218
Version: 1
HPSBUX02789 SSRT100824 rev.1 - HP-UX CIFS Server (Samba), Remote Execution of Arbitrary Code, Elevation of Privileges
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-06-13
Last Updated: 2012-06-13
Potential Security Impact: Remote execution of arbitrary code, elevation of privileges
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX CIFS-Server (Samba). The vulnerabilities could be exploited remotely to execute arbitrary code or elevate privileges.
References: CVE-2012-1182, CVE-2012-2111
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running HP-UX CIFS-Server (Samba) A.03.01.04 or earlier
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2012-1182
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2012-2111
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
6.5
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following software update to resolve the vulnerabilities.
The update is available for download from http://software.hp.com
HP-UX CIFS-Server (Samba)
HP-UX Release
Apache Depot name
A.03.01.05
11i v2
B8725AA_A.03.01.05_HP-UX_B.11.23_IA_PA.depot
11i v3
CIFS-SERVER_A.03.01.05_HP-UX_B.11.31_IA_PA.depot
MANUAL ACTIONS: Yes - Update
Install HP-UX CIFS-Server (Samba) A.03.01.05 or subsequent.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.23
HP-UX B.11.31
==================
CIFS-Development.CIFS-PRG
CIFS-Server.CIFS-ADMIN
CIFS-Server.CIFS-DOC
CIFS-Server.CIFS-LIB
CIFS-Server.CIFS-RUN
CIFS-Server.CIFS-UTIL
action: install revision A.03.01.05 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 13 June 2012 Initial release
Posljednje sigurnosne preporuke