Vulnerability Name:

CVE-2016-0392 (CCN-112611)

Assigned:2015-12-08
Published:2016-05-31
Updated:2018-10-09
Summary:IBM General Parallel File System (GPFS) in GPFS Storage Server 2.0.0 through 2.0.7 and Elastic Storage Server 2.5.x through 2.5.5, 3.x before 3.5.5, and 4.x before 4.0.3, as distributed in Spectrum Scale RAID, allows local users to gain privileges via a crafted parameter to a setuid program.
CVSS v3 Severity:8.4 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.3 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.3 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-284
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2016-0392

Source: MISC
Type: UNKNOWN
http://packetstormsecurity.com/files/137373/IBM-GPFS-Spectrum-Scale-Command-Injection.html

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005875

Source: AIXAPAR
Type: UNKNOWN
IV84206

Source: CCN
Type: IBM Security Bulletin T1023763 (General Parallel File System)
IBM Spectrum Scale and IBM GPFS are affected by a security vulnerability (CVE-2016-0392)

Source: CCN
Type: IBM Security Bulletin S1005781 (Spectrum Scale)
IBM Spectrum Scale and IBM GPFS are affected by a security vulnerability (CVE-2016-0392)

Source: CCN
Type: IBM Security Bulletin S1009571 (Storwize V7000 Unified (2073))
GPFS security vulnerabilities in IBM Storwize V7000 Unified (CVE-2016-0392)

Source: CCN
Type: IBM Security Bulletin 1986595 (DB2 for Linux, UNIX and Windows)
IBM DB2 LUW on AIX and Linux Affected by Multiple Vulnerabilities in GPFS.

Source: CCN
Type: IBM Security Bulletin 1988928 (PureApplication System)
The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2016-0392)

Source: BUGTRAQ
Type: UNKNOWN
20160607 [CVE-2016-0392] IBM GPFS / Spectrum Scale Command Injection

Source: BID
Type: UNKNOWN
91082

Source: CCN
Type: BID-91082
IBM Spectrum Scale and GPFS CVE-2016-0392 Local Command Injection Vulnerability

Source: SECTRACK
Type: UNKNOWN
1036458

Source: XF
Type: UNKNOWN
ibm-gpfs-cve20160392-command-injection(112611)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:elastic_storage_server:2.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:2.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:2.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:2.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:2.5.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:2.5.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.5.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:4.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:4.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:general_parallel_file_system_storage_server:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:general_parallel_file_system_storage_server:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:general_parallel_file_system_storage_server:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:general_parallel_file_system_storage_server:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:general_parallel_file_system_storage_server:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:general_parallel_file_system_storage_server:2.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:general_parallel_file_system_storage_server:2.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:general_parallel_file_system_storage_server:2.0.7:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:spectrum_scale:4.1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_scale:4.2.0.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:pureapplication_system:2.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.1.2.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm elastic storage server 2.5.0
    ibm elastic storage server 2.5.1
    ibm elastic storage server 2.5.2
    ibm elastic storage server 2.5.3
    ibm elastic storage server 2.5.4
    ibm elastic storage server 2.5.5
    ibm elastic storage server 3.0.0
    ibm elastic storage server 3.0.1
    ibm elastic storage server 3.0.2
    ibm elastic storage server 3.0.3
    ibm elastic storage server 3.0.4
    ibm elastic storage server 3.0.5
    ibm elastic storage server 3.5.0
    ibm elastic storage server 3.5.1
    ibm elastic storage server 3.5.2
    ibm elastic storage server 3.5.3
    ibm elastic storage server 3.5.4
    ibm elastic storage server 4.0.0
    ibm elastic storage server 4.0.1
    ibm elastic storage server 4.0.2
    ibm general parallel file system storage server 2.0.0
    ibm general parallel file system storage server 2.0.1
    ibm general parallel file system storage server 2.0.2
    ibm general parallel file system storage server 2.0.3
    ibm general parallel file system storage server 2.0.4
    ibm general parallel file system storage server 2.0.5
    ibm general parallel file system storage server 2.0.6
    ibm general parallel file system storage server 2.0.7
    ibm spectrum scale 4.1.1.0
    ibm spectrum scale 4.2.0.0
    ibm pureapplication system 2.0.0.0
    ibm pureapplication system 2.0.0.1
    ibm pureapplication system 2.1.0.0
    ibm pureapplication system 2.1.0.1
    ibm pureapplication system 2.1.0.2
    ibm pureapplication system 2.1.1.0
    ibm pureapplication system 2.1.2.0
    ibm pureapplication system 2.1.2.1
    ibm pureapplication system 2.2.0.0
    ibm pureapplication system 2.2.1.0
    ibm pureapplication system 2.1.2.3