Amazon Linux AMI update for amanda

Published: 2023-08-24

Risk	Low
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2016-10729 CVE-2022-37705 CVE-2023-30577
CWE-ID	CWE-77 CWE-264 CWE-88
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Command Injection

EUVDB-ID: #VU79959

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-10729

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation within the "runtar" setuid root binary. A local user with backup privileges can execute arbitrary OS commands on the system.

Mitigation

Update the affected packages:

i686:
    amanda-debuginfo-2.6.1p2-8.14.amzn1.i686
    amanda-client-2.6.1p2-8.14.amzn1.i686
    amanda-devel-2.6.1p2-8.14.amzn1.i686
    amanda-2.6.1p2-8.14.amzn1.i686
    amanda-server-2.6.1p2-8.14.amzn1.i686

src:
    amanda-2.6.1p2-8.14.amzn1.src

x86_64:
    amanda-server-2.6.1p2-8.14.amzn1.x86_64
    amanda-client-2.6.1p2-8.14.amzn1.x86_64
    amanda-devel-2.6.1p2-8.14.amzn1.x86_64
    amanda-debuginfo-2.6.1p2-8.14.amzn1.x86_64
    amanda-2.6.1p2-8.14.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2023-1808.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU74336

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-37705

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application is using a setuid component runtar, which is a wrapper for /usr/bin/tar with specific arguments that are controllable by the attacker. A local user can execute arbitrary code with root privileges.

Mitigation

Update the affected packages:

i686:
    amanda-debuginfo-2.6.1p2-8.14.amzn1.i686
    amanda-client-2.6.1p2-8.14.amzn1.i686
    amanda-devel-2.6.1p2-8.14.amzn1.i686
    amanda-2.6.1p2-8.14.amzn1.i686
    amanda-server-2.6.1p2-8.14.amzn1.i686

src:
    amanda-2.6.1p2-8.14.amzn1.src

x86_64:
    amanda-server-2.6.1p2-8.14.amzn1.x86_64
    amanda-client-2.6.1p2-8.14.amzn1.x86_64
    amanda-devel-2.6.1p2-8.14.amzn1.x86_64
    amanda-debuginfo-2.6.1p2-8.14.amzn1.x86_64
    amanda-2.6.1p2-8.14.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2023-1808.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper Neutralization of Argument Delimiters in a Command

EUVDB-ID: #VU79802

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-30577

CWE-ID: CWE-88 - Argument Injection or Modification

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application mishandles argument checking for runtar.c. A local user can execute arbitrary code with elevated privileges.

Mitigation

Update the affected packages:

i686:
    amanda-debuginfo-2.6.1p2-8.14.amzn1.i686
    amanda-client-2.6.1p2-8.14.amzn1.i686
    amanda-devel-2.6.1p2-8.14.amzn1.i686
    amanda-2.6.1p2-8.14.amzn1.i686
    amanda-server-2.6.1p2-8.14.amzn1.i686

src:
    amanda-2.6.1p2-8.14.amzn1.src

x86_64:
    amanda-server-2.6.1p2-8.14.amzn1.x86_64
    amanda-client-2.6.1p2-8.14.amzn1.x86_64
    amanda-devel-2.6.1p2-8.14.amzn1.x86_64
    amanda-debuginfo-2.6.1p2-8.14.amzn1.x86_64
    amanda-2.6.1p2-8.14.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2023-1808.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.