Published: 17/11/2019 Updated: 19/11/2019

CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8

CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2

VMScore: 801

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

An issue exists in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by the underlying system. It is possible to achieve this by modifying the values in the files.SUM file (which are used for integrity control) and injecting malicious code into the upgrade.sh file.

Vulnerable Product	Search on Vulmon	Subscribe to Product
xorur lpar2rrd 6.11
xorur stor2rrd 2.61

Xorux Lpar2rrd Stor2rrd Remote Command Execution through File Upload

Xorux-critical-vulnerability CVE-2019-19041 Xorux Lpar2rrd Stor2rrd Remote Command Execution through File Upload (CVE-2019-19041) Gatien Goteni - BSI Group, 2019 There is a Remote Command Injection in the xorux lpar2rrd and stor2rrd applications via the “Tool upgrade” functionality The application does not correctly verify for the integrity of the upgrade package

CWE-78 https://github.com/gotenigatien/Xorux-critical-vulnerability/blob/master/README.md https://nvd.nist.gov https://github.com/gotenigatien/Xorux-critical-vulnerability

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2019-19041

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect