Debian Linux Security Advisory 4253-1 - Denis Andzakovic discovered that network-manager-vpnc, a plugin to provide VPNC support for NetworkManager, is prone to a privilege escalation vulnerability. A newline character can be used to inject a Password helper parameter into the configuration data passed to vpnc, allowing a local user with privileges to modify a system connection to execute arbitrary commands as root.
acbb0dffafcd605128ce0ac32a2428118b568943b15f96ed93fde4fde09b84ea-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4253-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 23, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : network-manager-vpnc
CVE ID : CVE-2018-10900
Debian Bug : 904255
Denis Andzakovic discovered that network-manager-vpnc, a plugin to
provide VPNC support for NetworkManager, is prone to a privilege
escalation vulnerability. A newline character can be used to inject a
Password helper parameter into the configuration data passed to vpnc,
allowing a local user with privileges to modify a system connection to
execute arbitrary commands as root.
For the stable distribution (stretch), this problem has been fixed in
version 1.2.4-4+deb9u1.
We recommend that you upgrade your network-manager-vpnc packages.
For the detailed security status of network-manager-vpnc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/network-manager-vpnc
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltWQhJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SKCw//VcNh7gs/gMCYvTOr3+nN0GCSpvDEif63vC9quWGN2KvBclc927tpajgV
eAbYAW+Wr7mm/IV7g0nLR5WK51qnJ6QAevJmkYKWzAQpDnDM85UkNvcYkgbZ7Btp
BMw+1e7EQv/C94nKw9KARZjco8/bo6L5A2AF59HLYAK5BjRblCWyc5dqDSj4gylE
EQUdkODJPuH7s35LUqRhsTvUiQRPaOjZ0oDIkhC44GkWPnwy5yljmRPq54mqhMYU
+NrDQjKwW1eMBNrF8/BrQq0CHP8sxftlvcgMoJzwK0YX8mS3nfhtnQRbMeBWSkId
FYkHFOCdExyZDJ145NQPeVFmHj1qHElcr2swqQg1QmH4twkDhGU90zJBNwOzPTn4
7XQYeH4o29TSNMYC5b/3OpVdrq6BlVMJjTVz92yfaMO2h0ypTqyoBYQ72kZLS9kG
PkKCL1WQWSdVJ4VNqufUiBrJNVREiSeOs00f3uBYgWYocX40b679pm8YbaQj/mUZ
NIVlPJvlrhA7UkJv5VDOZyc6DPbVnLZGB8X14+L86D98JKtfbE/RnW+m2FUkwKEW
462OYIdudV0fDDneDD2e87p8DDdTIMwgO1Smgj8062RMhiv/L6FL/5XUxr1DMS6U
AQLfdnpEf3Am6cL6FTIsj53SAmh1L9B3EHEkAPH7AxX/pogBlGU=
=VkVy
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed