Test ID:	1.3.6.1.4.1.25623.1.0.70882
Category:	Ubuntu Local Security Checks
Title:	Ubuntu USN-1166-1 (oprofile)
Summary:	NOSUMMARY
Description:	Description: The remote host is missing an update to oprofile announced via advisory USN-1166-1. Details: Stephane Chauveau discovered that OProfile did not properly perform input validation when processing arguments to opcontrol. A local user who is allowed to run opcontrol with privileges could exploit this to run arbitrary commands as the privileged user. (CVE-2011-1760, CVE-2011-2471) Stephane Chauveau discovered a directory traversal vulnerability in OProfile when processing the --save argument to opcontrol. A local user could exploit this to overwrite arbitrary files with the privileges of the user invoking the program. (CVE-2011-2472) Solution: The problem can be corrected by updating your system to the following package versions: Ubuntu 10.04 LTS: oprofile 0.9.6-1ubuntu4.4 http://www.securityspace.com/smysecure/catid.html?in=USN-1166-1 CVSS Score: 7.2 CVSS Vector: AV:L/AC:L/Au:NR/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2011-1760 44790 http://secunia.com/advisories/44790 45205 http://secunia.com/advisories/45205 47652 http://www.securityfocus.com/bid/47652 DSA-2254 http://www.debian.org/security/2011/dsa-2254 USN-1166-1 http://www.ubuntu.com/usn/USN-1166-1 [oss-security] 20110429 CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo http://openwall.com/lists/oss-security/2011/04/29/3 [oss-security] 20110430 Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo http://openwall.com/lists/oss-security/2011/05/01/1 http://openwall.com/lists/oss-security/2011/05/01/2 [oss-security] 20110502 Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo http://openwall.com/lists/oss-security/2011/05/02/17 [oss-security] 20110503 Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo http://openwall.com/lists/oss-security/2011/05/03/2 [oss-security] 20110510 Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo http://openwall.com/lists/oss-security/2011/05/10/6 http://openwall.com/lists/oss-security/2011/05/10/7 [oss-security] 20110511 Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo http://openwall.com/lists/oss-security/2011/05/11/1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212 https://bugzilla.redhat.com/show_bug.cgi?id=700883 Common Vulnerability Exposure (CVE) ID: CVE-2011-2471 Debian Security Information: DSA-2254 (Google Search) http://openwall.com/lists/oss-security/2011/05/03/1 XForce ISS Database: oprofile-opcontrol-priv-escalation(67980) https://exchange.xforce.ibmcloud.com/vulnerabilities/67980 Common Vulnerability Exposure (CVE) ID: CVE-2011-2472 XForce ISS Database: oprofile-opcontrol-dir-traversal(67979) https://exchange.xforce.ibmcloud.com/vulnerabilities/67979
Copyright	Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.