Vulnerability Name:

CVE-2007-5964 (CCN-39015)

Assigned:2007-12-12
Published:2007-12-12
Updated:2017-09-29
Summary:The default configuration of autofs 5 in some Linux distributions, such as Red Hat Enterprise Linux (RHEL) 5, omits the nosuid option for the hosts (/net filesystem) map, which allows local users to gain privileges via a setuid program on a remote NFS server.
CVSS v3 Severity:9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
5.1 Medium (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-16
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2007-5964

Source: OSVDB
Type: UNKNOWN
40441

Source: CCN
Type: RHSA-2007-1128
Important: autofs security update

Source: CCN
Type: RHSA-2007-1129
Important: autofs5 security update

Source: CCN
Type: SA28052
Red Hat autofs "/net" Privilege Escalation Vulnerability

Source: SECUNIA
Type: Vendor Advisory
28052

Source: SECUNIA
Type: Vendor Advisory
28097

Source: SECUNIA
Type: Vendor Advisory
28456

Source: CCN
Type: SECTRACK ID: 1019087
Red Hat autofs Lets Local Users Gain Root Privileges

Source: SECTRACK
Type: UNKNOWN
1019087

Source: CCN
Type: ASA-2007-518
autofs5 security update (RHSA-2007-1129)

Source: CCN
Type: ASA-2008-009
autofs5 security update (RHSA-2007-1177)

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2008:009

Source: CCN
Type: OSVDB ID: 40441
Red Hat Enterprise Linux autofs /net Local Privilege Escalation

Source: REDHAT
Type: UNKNOWN
RHSA-2007:1128

Source: REDHAT
Type: UNKNOWN
RHSA-2007:1129

Source: BID
Type: UNKNOWN
26841

Source: CCN
Type: BID-26841
autofs nosuid Mount Option Local Privilege Escalation Vulnerability

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=409701

Source: CCN
Type: Red Hat Bugzilla Bug 410031
CVE-2007-5964 autofs defaults don't restrict suid in /net

Source: MISC
Type: Exploit
https://bugzilla.redhat.com/show_bug.cgi?id=410031

Source: XF
Type: UNKNOWN
rhel-autofs-privilege-escalation(39015)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10158

Source: FEDORA
Type: UNKNOWN
FEDORA-2007-4469

Source: FEDORA
Type: UNKNOWN
FEDORA-2007-4532

Vulnerable Configuration:Configuration 1:
  • cpe:/o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

    • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*
  • AND
  • cpe:/o:mandrakesoft:mandrake_linux:2007:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007::x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007.1::x86-64:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4.6.z:ga:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4.6.z:ga:es:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:22376
    P
    		ELSA-2007:1128: autofs security update (Important)
    2014-05-26
    oval:org.mitre.oval:def:10158
    V
    		The default configuration of autofs 5 in some Linux distributions, such as Red Hat Enterprise Linux (RHEL) 5, omits the nosuid option for the hosts (/net filesystem) map, which allows local users to gain privileges via a setuid program on a remote NFS server.
    2013-04-29
    oval:com.redhat.rhsa:def:20071128
    P
    		RHSA-2007:1128: autofs security update (Important)
    2007-12-12
    oval:com.redhat.rhsa:def:20071129
    P
    		RHSA-2007:1129: autofs5 security update (Important)
    2007-12-12
    BACK
    redhat enterprise linux 5.0
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 5
    redhat enterprise linux 5
    mandrakesoft mandrake linux 2007
    mandrakesoft mandrake linux 2007
    mandrakesoft mandrake linux 2007.1
    mandrakesoft mandrake linux 2008.0
    mandrakesoft mandrake linux 2008.0
    mandrakesoft mandrake linux 2007.1
    redhat enterprise linux 4.6.z ga
    redhat enterprise linux 4.6.z ga