LVM2 Missing Authentication in Cluster Local Volume Manager Lets Local Users Manage Volumes in the Cluster
|
|
SecurityTracker Alert ID: 1024258 |
|
SecurityTracker URL: http://securitytracker.com/id/1024258
|
|
CVE Reference:
CVE-2010-2526
(Links to External Site)
|
Date: Jul 29 2010
|
Impact:
Denial of service via local system, Modification of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in LVM2. A local user can manage volumes in the cluster.
The cluster logical volume manager daemon (clvmd) does not verify the credentials of clients connecting to its control UNIX abstract socket. A local user can send control commands to clvmd to activate, deactivate, or reload any logical volume on the target system or on another system in the cluster.
Alasdair Kergon reported this vulnerability.
|
Impact:
A local user can activate, deactivate, or reload any logical volume on the target system or on another system in the cluster.
|
Solution:
The vendor has issued a source code fix, available at:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/LVM2/?cvsroot=lvm2
|
Vendor URL: sourceware.org/lvm2/ (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
Linux (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 29 Jul 2010 02:44:09 +0000
Subject: LVM2
|
CVE-2010-2526 lvm2-cluster: insecurity when communicating between lvm2 and clvmd
|
|
