The Proc::Daemon module 0.14 for Perl uses world-writable permissions for a file that stores a process ID, which allows local users to have an unspecified impact by modifying this file.

The OTRS project reports :

An attacker with valid LOCAL credentials could access and manipulate the process ID file for bin/otrs.schduler.pl from the CLI.

The Proc::Daemon module 0.14 for Perl uses world-writable permissions for a file that stores a process ID, which allows local users to have an unspecified impact by modifying this file.

Updated perl-Proc-Daemon package fixes security vulnerability :

It was reported that perl-Proc-Daemon, when instructed to write a pid file, does that with a umask set to 0, so the pid file ends up with mode 666, allowing any user on the system to overwrite it (CVE-2013-7135).

Add patch from debian to fix pidfile with mode 666 CVE-2013-7135

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
86198	FreeBSD : otrs -- Scheduler Process ID File Access (1e7f0c11-673a-11e5-98c8-60a44c524f57)	Nessus	FreeBSD Local Security Checks	high
72133	Mandriva Linux Security Advisory : perl-Proc-Daemon (MDVSA-2014:021)	Nessus	Mandriva Local Security Checks	high
71760	Fedora 18 : perl-Proc-Daemon-0.14-9.fc18 (2013-23646)	Nessus	Fedora Local Security Checks	high
71759	Fedora 19 : perl-Proc-Daemon-0.14-9.fc19 (2013-23635)	Nessus	Fedora Local Security Checks	high
71757	Fedora 20 : perl-Proc-Daemon-0.14-9.fc20 (2013-23594)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2013-7135

critical

Tenable Plugins

high

high

high

high

high