F5 Local Security Checks : F5 BIG-IP - GNU C Library (glibc) vulnerability CVE-2014-7817

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.105372

Categoría: F5 Local Security Checks

Título: F5 BIG-IP - GNU C Library (glibc) vulnerability CVE-2014-7817

Resumen: The remote host is missing a security patch.

Descripción: Summary:
The remote host is missing a security patch.

Vulnerability Insight:
The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing '$((`...`))'. (CVE-2014-7817)

Vulnerability Impact:
An attacker with local access and knowledge of how to make the glibc function trigger an exploit may be able to run arbitrary code. However, the risk level for this vulnerability is considered LOW because F5 product development has verified that the vulnerable code is NOT used in a way that would make an exploit possible.

Solution:
See the referenced vendor advisory for a solution.

CVSS Score:
4.6

CVSS Vector:
AV:L/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2014-7817
62100
http://secunia.com/advisories/62100
62146
http://secunia.com/advisories/62146
71216
http://www.securityfocus.com/bid/71216
DSA-3142
http://www.debian.org/security/2015/dsa-3142
GLSA-201602-02
https://security.gentoo.org/glsa/201602-02
RHSA-2014:2023
http://rhn.redhat.com/errata/RHSA-2014-2023.html
USN-2432-1
http://www.ubuntu.com/usn/USN-2432-1
[libc-alpha] 20141119 [COMMITTED] CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
https://sourceware.org/ml/libc-alpha/2014-11/msg00519.html
[oss-security] 20141120 CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified
http://seclists.org/oss-sec/2014/q4/730
gnu-glibc-cve20147817-command-exec(98852)
https://exchange.xforce.ibmcloud.com/vulnerabilities/98852
http://linux.oracle.com/errata/ELSA-2015-0016.html
http://linux.oracle.com/errata/ELSA-2015-0092.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
https://sourceware.org/bugzilla/show_bug.cgi?id=17625
https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commitdiff%3Bh=a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c
openSUSE-SU-2015:0351
http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html

Copyright Copyright (C) 2015 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.105372
Categoría:	F5 Local Security Checks
Título:	F5 BIG-IP - GNU C Library (glibc) vulnerability CVE-2014-7817
Resumen:	The remote host is missing a security patch.
Descripción:	Summary: The remote host is missing a security patch. Vulnerability Insight: The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing '$((`...`))'. (CVE-2014-7817) Vulnerability Impact: An attacker with local access and knowledge of how to make the glibc function trigger an exploit may be able to run arbitrary code. However, the risk level for this vulnerability is considered LOW because F5 product development has verified that the vulnerable code is NOT used in a way that would make an exploit possible. Solution: See the referenced vendor advisory for a solution. CVSS Score: 4.6 CVSS Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-7817 62100 http://secunia.com/advisories/62100 62146 http://secunia.com/advisories/62146 71216 http://www.securityfocus.com/bid/71216 DSA-3142 http://www.debian.org/security/2015/dsa-3142 GLSA-201602-02 https://security.gentoo.org/glsa/201602-02 RHSA-2014:2023 http://rhn.redhat.com/errata/RHSA-2014-2023.html USN-2432-1 http://www.ubuntu.com/usn/USN-2432-1 [libc-alpha] 20141119 [COMMITTED] CVE-2014-7817: wordexp fails to honour WRDE_NOCMD. https://sourceware.org/ml/libc-alpha/2014-11/msg00519.html [oss-security] 20141120 CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified http://seclists.org/oss-sec/2014/q4/730 gnu-glibc-cve20147817-command-exec(98852) https://exchange.xforce.ibmcloud.com/vulnerabilities/98852 http://linux.oracle.com/errata/ELSA-2015-0016.html http://linux.oracle.com/errata/ELSA-2015-0092.html http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html https://sourceware.org/bugzilla/show_bug.cgi?id=17625 https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commitdiff%3Bh=a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c openSUSE-SU-2015:0351 http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html
Copyright	Copyright (C) 2015 Greenbone AG