CVE-2016-8641
Published: 1 August 2018
A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possibly escalating the privileges with the ownership change.
Notes
Author | Note |
---|---|
tyhicks | Debian packaging provides its own init script |
Priority
Status
Package | Release | Status |
---|---|---|
icinga Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
|
|
cosmic |
Not vulnerable
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was not-affected)
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
nagios3 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(code not present)
|
bionic |
Not vulnerable
(code not present)
|
|
cosmic |
Does not exist
|
|
precise |
Not vulnerable
(code not present)
|
|
trusty |
Does not exist
(trusty was not-affected [code not present])
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(code not present)
|
|
yakkety |
Not vulnerable
(code not present)
|
|
zesty |
Not vulnerable
(code not present)
|
|
Patches: upstream: https://github.com/NagiosEnterprises/nagioscore/commit/f2ed227673d3b2da643eb5cad26b2d87674f28c1 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |