GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed Aug 22, 2018 11:26 pm Post subject: [ GLSA 201808-03 ] NetworkManager VPNC plugin |
|
|
Gentoo Linux Security Advisory
Title: NetworkManager VPNC plugin: Privilege escalation (GLSA 201808-03)
Severity: normal
Exploitable: local
Date: 2018-08-22
Bug(s): #661712
ID: 201808-03
Synopsis
A vulnerability in NetworkManager VPNC plugin allows local users to
escalate privileges.
Background
NetworkManager is an universal network configuration daemon for laptops,
desktops, servers and virtualization hosts.
The VPNC plugin provides easy access Cisco Concentrator based VPN’s
utilizing NetworkManager.
Affected Packages
Package: net-misc/networkmanager-vpnc
Vulnerable: < 1.2.6
Unaffected: >= 1.2.6
Architectures: All supported architectures
Description
When initiating a VPNC connection, NetworkManager spawns a new vpnc
process and passes the configuration via STDIN. By injecting a special
character into a configuration parameter, an attacker can coerce
NetworkManager to set the Password helper option to an attacker
controlled executable file.
Impact
A local attacker is able to escalate privileges via a specially crafted
configuration file.
Workaround
There is no known workaround at this time.
Resolution
All NetworkManager VPNC plugin users should upgrade to the latest
version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose
">=net-misc/networkmanager-vpnc-1.2.6"
|
References
CVE-2018-10900 |
|