English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.60033
Category:Red Hat Local Security Checks
Title:RedHat Security Advisory RHSA-2007:1177
Summary:NOSUMMARY
Description:Description:

The remote host is missing updates announced in
advisory RHSA-2007:1177.

The autofs utility controls the operation of the automount daemon, which
automatically mounts file systems when you use them, and unmounts them when
you are not using them. This can include network file systems and CD-ROMs.
The autofs5 packages were made available as a technology preview in Red Hat
Enterprise Linux 4.6.

There was a security issue with the default configuration of autofs version
5, whereby the entry for the -hosts map did not specify the nodev mount
option. A local user with control of a remote NFS server could create
special device files on the remote file system, that if mounted using the
default -hosts map, could allow the user to access important system
devices. (CVE-2007-6285)

This issue is similar to CVE-2007-5964, which fixed a missing nosuid
mount option in autofs. Both the nodev and nosuid options should be
enabled to prevent a possible compromise of machine integrity.

Due to the fact that autofs always mounted -hosts map entries dev by
default, autofs has now been altered to always use the nodev option when
mounting from the default -hosts map. The dev option must be explicitly
given in the master map entry to revert to the old behavior. This change
affects only the -hosts map which corresponds to the /net entry in the
default configuration.

All autofs5 users are advised to upgrade to these updated packages, which
resolve this issue.

Red Hat would like to thank Tim Baum for reporting this issue.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

http://rhn.redhat.com/errata/RHSA-2007-1177.html
http://www.redhat.com/security/updates/classification/#important

Risk factor : High

CVSS Score:
6.9

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2007-6285
1019137
http://securitytracker.com/id?1019137
26970
http://www.securityfocus.com/bid/26970
28156
http://secunia.com/advisories/28156
28168
http://secunia.com/advisories/28168
28456
http://secunia.com/advisories/28456
40442
http://osvdb.org/40442
FEDORA-2007-4707
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00726.html
FEDORA-2007-4709
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00732.html
MDVSA-2008:009
http://www.mandriva.com/security/advisories?name=MDVSA-2008:009
RHSA-2007:1176
http://rhn.redhat.com/errata/RHSA-2007-1176.html
RHSA-2007:1177
http://rhn.redhat.com/errata/RHSA-2007-1177.html
autofs-hostsmap-weak-securtiy(39188)
https://exchange.xforce.ibmcloud.com/vulnerabilities/39188
https://bugzilla.redhat.com/show_bug.cgi?id=426218
oval:org.mitre.oval:def:11457
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11457
Common Vulnerability Exposure (CVE) ID: CVE-2007-5964
1019087
http://securitytracker.com/id?1019087
26841
http://www.securityfocus.com/bid/26841
28052
http://secunia.com/advisories/28052
28097
http://secunia.com/advisories/28097
40441
http://osvdb.org/40441
FEDORA-2007-4469
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00474.html
FEDORA-2007-4532
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00549.html
RHSA-2007:1128
http://www.redhat.com/support/errata/RHSA-2007-1128.html
RHSA-2007:1129
http://www.redhat.com/support/errata/RHSA-2007-1129.html
https://bugzilla.redhat.com/show_bug.cgi?id=409701
https://bugzilla.redhat.com/show_bug.cgi?id=410031
oval:org.mitre.oval:def:10158
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10158
CopyrightCopyright (c) 2007 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.