Detections
Analytics

GLSA-200710-25 : MLDonkey: Privilege escalation

medium Nessus Plugin ID 27557

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200710-25 (MLDonkey: Privilege escalation)

 The Gentoo MLDonkey ebuild adds a user to the system named 'p2p' so that the MLDonkey service can run under a user with low privileges.
 With older Portage versions this user is created with a valid login shell and no password.
 Impact :

 A remote attacker could log into a vulnerable system as the p2p user.
 This would require an installed login service that permitted empty passwords, such as SSH configured with the 'PermitEmptyPasswords yes' option, a local login console, or a telnet server.
 Workaround :

 See Resolution.

Solution

Change the p2p user's shell to disallow login. For example, as root run the following command:
 # usermod -s /bin/false p2p NOTE: updating to the current MLDonkey ebuild will not remove this vulnerability, it must be fixed manually. The updated ebuild is to prevent this problem from occurring in the future.

See Also

https://security.gentoo.org/glsa/200710-25

Plugin Details

Severity: Medium

ID: 27557

File Name: gentoo_GLSA-200710-25.nasl

Version: 1.15

Type: local

Published: 10/25/2007

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:mldonkey, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 10/24/2007

Vulnerability Publication Date: 8/18/2007

Reference Information

CVE: CVE-2007-5714

CWE: 287

GLSA: 200710-25