VulDB: Tenable Nessus up to 2.0.11 adduser race condition
General
scipID: 769
Affected: Tenable Nessus up to 2.0.11
Published: 07/22/2004 (Cyrille Barthelemy)
Risk: 
problematic
Entry: 99.6% complete
Created: 07/26/2004
Updated: 12/06/2012
Summary
A vulnerability classified as problematic was found in Tenable Nessus up to 2.0.11. Affected by this vulnerability is an unknown function of the file adduser. The manipulation with an unknown input leads to a race condition vulnerability. As an impact it is known to affect confidentiality, integrity, and availability.
The weakness was shared 07/22/2004 by Cyrille Barthelemy with Nessus Team. The advisory is shared for download at nessus.org. This vulnerability is known as CVE-2004-1445 since 02/13/2005. Access to the local network is required for this attack to succeed. Technical details and also a exploit are known.
The exploit is shared for download at securityfocus.com. The vulnerability was handled as a non-public zero-day exploit for at least 21 days. The vulnerability scanner Nessus provides a plugin with the ID 14567 (GLSA-200408-11 : Nessus: ‘adduser’ race condition vulnerability), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Gentoo Local Security Checks and running in the context local.
Applying a patch is able to eliminate this problem. The bugfix is ready for download at nessus.org. A possible mitigation has been published 3 weeks after the disclosure of the vulnerability. The vulnerability is also documented in the databases at OSVDB (8167), Secunia (SA12127), SecurityFocus (BID 10784) and X-Force (16768). Additional details are provided at mail.nessus.org.CVSS
Base Score: 5.2 (CVSS2#AV:A/AC:L/Au:S/C:P/I:P/A:P) [?]
| Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Local | High | Multiple | None | None | None |
| Adjacent | Medium | Single | Partial | Partial | Partial |
| Network | Low | None | Complete | Complete | Complete |
Exploiting
Class: Race condition
Local: No
Remote: Partially
Availability: Yes
Download: securityfocus.com
Nessus ID: 14567
Nessus Name: GLSA-200408-11 : Nessus: ‘adduser’ race condition vulnerability
Nessus Family: Gentoo Local Security Checks
Nessus Context: local
Countermeasures
Recommended: Upgrade
Reaction Time: 21 days since reported
0-Day Time: 21 days since found
Exposure Time: 21 days since known
Patch: nessus.org
Timeline
07/22/2004 | Advisory disclosed
07/22/2004 | OSVDB entry created
07/26/2004 | VulDB entry created
08/12/2004 | Countermeasure disclosed
08/30/2004 | Nessus plugin released
02/13/2005 | CVE assigned
12/06/2012 | VulDB entry updated
Sources
Advisory: nessus.org
Researcher: Cyrille Barthelemy
Company: Nessus Team
Confirmation: nessus.org
OSVDB: 8167
CVE: CVE-2004-1445 (mitre.org) (nist.org) (cvedetails.com)
Secunia: 12127
SecurityFocus: 10784
X-Force: 16768
Misc.: mail.nessus.org
- Latest Entries
- Google Chrome Web Audio Handler buffer overflow [CVE-2013-2845]
- Google Chrome Style Resolution Handler buffer overflow [CVE-2013-2844]
- Google Chrome Speech Handler buffer overflow [CVE-2013-2843]
- Google Chrome Widget Handler buffer overflow [CVE-2013-2842]
- Google Chrome Pepper Resource Handler buffer overflow [CVE-2013-2841]
- Statistics
- Archive
