ID CVE-2014-4040
Summary snap in powerpc-utils 1.2.20 produces an archive with fstab and yaboot.conf files potentially containing cleartext passwords, and lacks a warning about reviewing this archive to detect included passwords, which might allow remote attackers to obtain sensitive information by leveraging access to a technical-support data stream.
References
Vulnerable Configurations
  • powerpc-utils project powerpc-utils 1.2.20
    cpe:2.3:a:powerpc-utils_project:powerpc-utils:1.2.20
CVSS
Base: 5.0 (as of 18-06-2014 - 13:26)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
redhat via4
advisories
bugzilla
id 1110520
title CVE-2014-4040 powerpc-utils: snap creates archives with fstab and yaboot.conf which may expose certain passwords
oval
AND
  • comment powerpc-utils is earlier than 0:1.2.24-7.el7
    oval oval:com.redhat.rhsa:tst:20150384005
  • comment powerpc-utils is signed with Red Hat redhatrelease2 key
    oval oval:com.redhat.rhsa:tst:20150384006
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhsa:tst:20140675001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhsa:tst:20140675002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20140675003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20140675004
rhsa
id RHSA-2015:0384
released 2015-03-05
severity Low
title RHSA-2015:0384: powerpc-utils security, bug fix, and enhancement update (Low)
rpms powerpc-utils-0:1.2.24-7.el7
refmap via4
mlist [oss-security] 20140617 Re: CVE request: multiple /tmp races in ppc64-diag
Last major update 11-03-2015 - 21:59
Published 17-06-2014 - 11:55
Back to Top