Vixie Cron
1. Summary:
Updated versions of all supported hosted products and all ESX 2x
products and patches for ESX 30x address critical security updates.
Service Console security updates for samba, bind, krb5, vixie-cron,
shadow-utils, openldap, pam, gcc, and gdb packages.
2. Relevant releases:
VMware Workstation 6.0.0
===========================================================
Ubuntu Security Notice USN-778-1 June 01, 2009
cron vulnerability
CVE-2006-2607
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Mandriva Linux Security Advisory MDKSA-2007:234
http://www.mandriva.com/security/
_______________________________________________________________________
Package : vixie-cron
Date : December 3, 2007
Affected: 2007.0, 2007.1, 2008.0
_______________________________________________________________________
Problem Description:
CVE-2007-4497). Another unspecified vulnerability related to untrusted
virtual machine images was discovered (CVE-2007-5617).
VMware products also shipped code copies of software with several
vulnerabilities: Samba (GLSA-200705-15), BIND (GLSA-200702-06), MIT
Kerberos 5 (GLSA-200707-11), Vixie Cron (GLSA-200704-11), shadow
(GLSA-200606-02), OpenLDAP (CVE-2006-4600), PAM (CVE-2004-0813,
CVE-2007-1716), GCC (CVE-2006-3619) and GDB (CVE-2006-4146).
Impact
======
Here's a summary of relevant postings to oss-security and bug-wget.
Unofficial patch for wget, by Florian Weimer:
http://www.openwall.com/lists/oss-security/2010/05/17/2
PoC attack on a wget cron job resulting in a .bash_profile overwrite:
http://www.openwall.com/lists/oss-security/2010/05/18/13
Brief description of an attack on a wget cron job not involving a
dot-file nor a home directory (but involving a website tree instead):
http://lists.gnu.org/archive/html/bug-wget/2010-05/msg00032.html
IBM AIX 5.2 crontab BSS Buffer Overflow Vulnerability
iDefense Security Advisory 10.30.07
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 30, 2007
I. BACKGROUND
The crontab program is a user utility that enables users to create,
remove, and edit cron jobs. The cron jobs will then later be executed,
Exploitation allows local attackers to gain root privileges.
In at least one case, the attacker's umask will be honored when creating
files. In this case, the attacker could create world-writable root-owned
files anywhere on the system. By targeting specific system files, such
as /etc/ld.so.preload or various cron data file locations, an attacker
could execute arbitrary code with superuser privileges.
IV. DETECTION
iDefense confirmed the existence of this vulnerability in version 9.1
This vulnerability applies to both stable (etch) and oldstable (sarge).
CVE-2007-1474
iDefense discovered that the cleanup cron script in Horde
allows local users to delete arbitrary files.
This vulnerability applies to oldstable (sarge) only.
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Alexandre Martani discovered that the APT daily cron script did not check
the return code of the date command. If a machine is configured for
automatic updates and is in a time zone where DST occurs at midnight, under
certain circumstances automatic updates might not be applied and could
become permanently disabled. (CVE-2009-1300)
It was discovered that the ocsinventory-agent which is part of the
ocsinventory suite, a hardware and software configuration indexing service,
is prone to an insecure perl module search path. As the agent is started
via cron and the current directory (/ in this case) is included in the
default perl module path the agent scans every directory on the system
for its perl modules. This enables an attacker to execute arbitrary code
via a crafted ocsinventory-agent perl module placed on the system.
is not under the remote attacker's control and no buffer overrun
situation is present that would allow altering program /flow/, it is
deemed rather unlikely that code can be injected.
Note that the required -vv configuration at hand is both non-default
and also not common in automated (cron job) setups, but usually used
in manual debugging, so not many systems would be affected by the
problem. Nonetheless, in vulnerable configurations, it is remotely
exploitable to effect a denial of service attack.
is not under the remote attacker's control and no buffer overrun
situation is present that would allow altering program /flow/, it is
deemed rather unlikely that code can be injected.
Note that the required -vv configuration at hand is both non-default
and also not common in automated (cron job) setups, but usually used
in manual debugging, so not many systems would be affected by the
problem. Nonetheless, in vulnerable configurations, it is remotely
exploitable to effect a denial of service attack.
Problem type : local
Debian-specific: yes
CVE Id(s) : CVE-2007-6418
Debian Bug : 448519
Tobias Gruetzmacher discovered that a Debian-provided CRON script in dspam,
a statistical spam filter, included a database password on the command line
when using the MySQL backend. This allowed a local attacker to read the
contents of the dspam database, such as emails.
For the stable distribution (etch), this problem has been fixed in version
> credentials on the guest operating system. Furthermore, the script can
> execute programs even if you lock the desktop of the guest OS.
As opposed to pausing the VM, editing the virtual memory image and
unpausing the VM? No scripting interface is needed. How about editing
the virtual disk image and replacing one of the cron scripts with a
shell-on-a-port? Rebooting the VM and going single user? If you control
the VMware process, you control the guest. Fully and Completely.
> Mark Burnett
> http://xato.net
|
