BID:17180

Util-VServer Unknown Linux Capabilities Vulnerability

Info

Util-VServer Unknown Linux Capabilities Vulnerability

Bugtraq ID:	17180
Class:	Access Validation Error
CVE:	CVE-2005-4418
Remote:	Yes
Local:	Yes
Published:	Mar 21 2006 12:00AM
Updated:	Jul 18 2006 08:33PM
Credit:	The vendor disclosed this issue.
Vulnerable:	VServer util-vserver 0.30.204 VServer util-vserver 0 VServer Linux-VServer 1.9.5 .5

Not Vulnerable:	VServer util-vserver 0.30.210

Discussion

Util-VServer Unknown Linux Capabilities Vulnerability

The util-vserver package for the Linux-VServer project is susceptible to an unknown Linux capability vulnerability. The package fails to properly handle unknown Linux capabilities.

The exact consequences of this issue are currently unknown. They depend on the nature of the unknown capabilities and on the nature of the applications that use them. Hosted virtual servers may possibly gain inappropriate access to the hosting operating system.

Exploit / POC

Util-VServer Unknown Linux Capabilities Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]

Solution / Fix

Util-VServer Unknown Linux Capabilities Vulnerability

Solution:
The vendor has released an updated package to address this issue.

Please see the referenced vendor advisories for details on obtaining and applying fixes.

VServer util-vserver 0

VServer util-vserver-0.30.210.tar.bz2
http://www.13thfloor.at/~ensc/util-vserver/files/alpha/util-vserver-0. 30.210.tar.bz2

VServer util-vserver 0.30.204

Debian util-vserver/util-vserver_0.30.204-5sarge3_s390.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserv er_0.30.204-5sarge3_s390.deb

Debian util-vserver_0.30.204-5sarge3_alpha.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserv er_0.30.204-5sarge3_alpha.deb

Debian util-vserver_0.30.204-5sarge3_amd64.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserv er_0.30.204-5sarge3_amd64.deb

Debian util-vserver_0.30.204-5sarge3_i386.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserv er_0.30.204-5sarge3_i386.deb

Debian util-vserver_0.30.204-5sarge3_ia64.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserv er_0.30.204-5sarge3_ia64.deb

Debian util-vserver_0.30.204-5sarge3_mips.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserv er_0.30.204-5sarge3_mips.deb

Debian util-vserver_0.30.204-5sarge3_mipsel.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserv er_0.30.204-5sarge3_mipsel.deb

Debian util-vserver_0.30.204-5sarge3_powerpc.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserv er_0.30.204-5sarge3_powerpc.deb

Debian util-vserver_0.30.204-5sarge3_sparc.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserv er_0.30.204-5sarge3_sparc.deb

VServer util-vserver-0.30.210.tar.bz2
http://www.13thfloor.at/~ensc/util-vserver/files/alpha/util-vserver-0. 30.210.tar.bz2

References

Util-VServer Unknown Linux Capabilities Vulnerability

References:

util-vserver Project Page (VServer)
VServer Home Page (VServer)