Vulnerabilities > CVE-2014-4040 - Cryptographic Issues vulnerability in Powerpc-Utils Project Powerpc-Utils 1.2.20

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
powerpc-utils-project
CWE-310

Summary

snap in powerpc-utils 1.2.20 produces an archive with fstab and yaboot.conf files potentially containing cleartext passwords, and lacks a warning about reviewing this archive to detect included passwords, which might allow remote attackers to obtain sensitive information by leveraging access to a technical-support data stream.

Vulnerable Configurations

Part Description Count
Application
Powerpc-Utils_Project
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Redhat

advisories
bugzilla
id1110520
titleCVE-2014-4040 powerpc-utils: snap creates archives with fstab and yaboot.conf which may expose certain passwords
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • commentpowerpc-utils is earlier than 0:1.2.24-7.el7
      ovaloval:com.redhat.rhsa:tst:20150384001
    • commentpowerpc-utils is signed with Red Hat redhatrelease2 key
      ovaloval:com.redhat.rhsa:tst:20150384002
rhsa
idRHSA-2015:0384
released2015-03-05
severityLow
titleRHSA-2015:0384: powerpc-utils security, bug fix, and enhancement update (Low)
rpms
  • powerpc-utils-0:1.2.24-7.el7
  • powerpc-utils-debuginfo-0:1.2.24-7.el7