HP-UX Get_System_Info Local Security Vulnerability

Bugtraq ID:	25469
Class:	Unknown
CVE:	CVE-2007-4590
Remote:	No
Local:	Yes
Published:	Aug 27 2007 12:00AM
Updated:	May 07 2015 05:35PM
Credit:	The vendor disclosed this issue.
Vulnerable:	HP Ignite-UX C.7.3.144 HP Ignite-UX C.7.2.94 HP Ignite-UX C.7.1.93 HP Ignite-UX C.7.0.212 HP HP-UX B.11.31 HP HP-UX B.11.23 HP HP-UX B.11.11 HP DynRootDisk (DRD) A.2.0.0.592 HP DynRootDisk (DRD) A.1.1.0.344 HP DynRootDisk (DRD) A.1.0.18.245 HP DynRootDisk (DRD) A.1.0.16.417
Not Vulnerable:	HP Ignite-UX C.7.3.148 HP DynRootDisk (DRD) A.3.0.0

HP-UX Get_System_Info Local Security Vulnerability

HP-UX is prone to a local vulnerability that may result in a change of network parameters.

This issue affects HP-UX running the Ignite-UX or the DynRootDisk (DRD) 'get_system_info' command.

A local attacker can exploit this issue to change certain network parameters without notification. For this to be a security issue, the 'get_system_info' command may be required to run setuid; the command's default permissions are currently not known.

A successful exploit of this issue may result in denial-of-service conditions; other attacks may also be possible.

HP-UX Get_System_Info Local Security Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

HP-UX Get_System_Info Local Security Vulnerability

Solution:
The vendor released updates to address this issue. Please see the references for more information.

HP-UX Get_System_Info Local Security Vulnerability

References:

• HP-UX Homepage (HP)
  
• HPSBUX02249 SSRT071442 rev.3 - HP-UX Running the Ignite-UX or the DynRootDisk (D (HP)