[BlueOnyx:23722] Re: user root-admin on 5210R
Michael Stauber
mstauber at blueonyx.it
Thu Mar 5 20:22:44 -05 2020
Hi Maurice,
> Now if I ssh to the box as a regular user with ssh access, I can become
> root without entering *any* password at all!
When I saw *this* message at 15:05 GMT-5 I took the BlueOnyx mailing
list sever offline to perform damage control.
CRITICAL VULNERABILITY that allows ROOT access to already logged in users.
Well - as long as they aren't in a Jail. Jailed users on 5210R could not
directly exploit this, but indirectly in certain ways.
Maurice: Many thanks again for bringing this to my attention. I
appreciate it! Just the venue of revelation was a bit ... unfortunate.
In the meantime I've been busy by rolling out a hotfix as YUM Update (an
updated "swatch" RPM) that detects and removes the existing vulnerability.
Once that was done I started diagnosing the root cause of the issue and
by 19:15 GMT-5 the YUM updates for that (base-user-*) were also released.
I'll do another toplevel post on this list to bring more attention to
the issue.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list