Vulnerabilities > CVE-2007-4074 - Configuration vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The default configuration of Centre for Speech Technology Research (CSTR) Festival 1.95 beta (aka 2.0 beta) on Gentoo Linux, SUSE Linux, and possibly other distributions, is run locally with elevated privileges without requiring authentication, which allows local and remote attackers to execute arbitrary commands via the local daemon on port 1314, a different vulnerability than CVE-2001-0956. NOTE: this issue is local in some environments, but remote on others.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_FESTIVAL-4378.NASL description The festival daemon runs as root. The default config doesn last seen 2020-06-01 modified 2020-06-02 plugin id 29424 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29424 title SuSE 10 Security Update : festival (ZYPP Patch Number 4378) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(29424); script_version ("1.16"); script_cvs_date("Date: 2019/10/25 13:36:29"); script_cve_id("CVE-2007-4074"); script_name(english:"SuSE 10 Security Update : festival (ZYPP Patch Number 4378)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "The festival daemon runs as root. The default config doesn't have a password set. A local attacker could therefore connect to the daemon to have commands executed as root. (CVE-2007-4074)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-4074.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 4378."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(16); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/09/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:1, reference:"festival-1.95-25.9")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"festival-1.95-25.9")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_FESTIVAL-4377.NASL description The festival daemon runs as root. The default config doesn last seen 2020-06-01 modified 2020-06-02 plugin id 27520 published 2007-10-19 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27520 title openSUSE 10 Security Update : festival (festival-4377) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update festival-4377. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27520); script_version ("1.13"); script_cvs_date("Date: 2019/10/25 13:36:29"); script_cve_id("CVE-2007-4074"); script_name(english:"openSUSE 10 Security Update : festival (festival-4377)"); script_summary(english:"Check for the festival-4377 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "The festival daemon runs as root. The default config doesn't have a password set. A local attacker could therefore connect to the daemon to have commands executed as root (CVE-2007-4074)." ); script_set_attribute( attribute:"solution", value:"Update the affected festival packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(16); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:festival"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:festival-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2007/09/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1|SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1 / 10.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"festival-1.95-25.9") ) flag++; if ( rpm_check(release:"SUSE10.1", reference:"festival-devel-1.95-25.9") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"festival-1.96-21") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"festival-devel-1.96-21") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "festival / festival-devel"); }
References
- http://bugs.gentoo.org/show_bug.cgi?id=170477
- http://lists.opensuse.org/opensuse-security-announce/2007-10/msg00006.html
- http://secunia.com/advisories/26229
- http://secunia.com/advisories/27271
- http://security.gentoo.org/glsa/glsa-200707-10.xml
- http://www.securityfocus.com/archive/1/490465/100/0/threaded
- http://www.securityfocus.com/bid/25069
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35606