ID CVE-2016-5746
Summary libstorage, libstorage-ng, and yast-storage improperly store passphrases for encrypted storage devices in a temporary file on disk, which might allow local users to obtain sensitive information by reading the file, as demonstrated by /tmp/libstorage-XXXXXX/pwdf.
References
Vulnerable Configurations
  • cpe:2.3:a:opensuse:libstorage
    cpe:2.3:a:opensuse:libstorage
  • cpe:2.3:a:opensuse:libstorage-ng
    cpe:2.3:a:opensuse:libstorage-ng
  • cpe:2.3:a:yast:yast-storage
    cpe:2.3:a:yast:yast-storage
  • openSUSE Leap 42.1
    cpe:2.3:o:opensuse:leap:42.1
CVSS
Base: 1.2 (as of 27-09-2016 - 12:31)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2353-1.NASL
    description This update for yast2-storage provides the following fixes: Security issues fixed : - Use standard IPC, and not temporary files, to pass passwords between processes. (bsc#986971, CVE-2016-5746) Non security bugs fixed : - Fix usage of complete multipath disk as LVM physical volume. (bsc#984245) - Load the correct multipath module (dm-multipath). (bsc#937942) - Improve message for creating volumes with a filesystem but without a mount point. (bsc#996208) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93712
    published 2016-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93712
    title SUSE SLES11 Security Update : yast2-storage (SUSE-SU-2016:2353-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2189-1.NASL
    description This update for libstorage fixes the following issues : - Use stdin, not tmp files for passwords (bsc#986971, CVE-2016-5746) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93311
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93311
    title SUSE SLED12 / SLES12 Security Update : libstorage (SUSE-SU-2016:2189-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1062.NASL
    description This update for libstorage fixes the following issues : - Use stdin, not tmp files for passwords (bsc#986971, CVE-2016-5746) This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 93390
    published 2016-09-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93390
    title openSUSE Security Update : libstorage (openSUSE-2016-1062)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2355-1.NASL
    description This update for libstorage fixes the following issues : - Use stdin, not tmp files for passwords (bsc#986971, CVE-2016-5746) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93713
    published 2016-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93713
    title SUSE SLES12 Security Update : libstorage (SUSE-SU-2016:2355-1)
refmap via4
bid 93169
confirm
suse openSUSE-SU-2016:2264
Last major update 28-11-2016 - 15:29
Published 26-09-2016 - 11:59
Last modified 30-10-2018 - 12:27
Back to Top