CVE-2008-6755
First published: Mon Dec 15 2008(Updated: )
While checking Gentoo bug: <a href="http://bugs.gentoo.org/show_bug.cgi?id=250715">http://bugs.gentoo.org/show_bug.cgi?id=250715</a> I noticed that zoneminder in Fedora defaults to apache:apache 600 for /etc/zm.conf. Therefore, Fedora defaults does now allow reading the config file directly using cat or vim. chmod o-r is probably not much of a fix in setups where local users can run own php or cgi scripts with web server privileges. However, in such setups, Fedora default seems even worse, as any php or cgi can actually modify the config (and at least break DB connectivity). In similar cases, where some daemon user needs read access to certain config file, root:<daemon_group> 640 is more common. Please check if changing: %config(noreplace) %attr(600,%{zmuid_final},%{zmgid_final}) %{_sysconfdir}/zm.conf to %config(noreplace) %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm.conf makes sense for ZM.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ZoneMinder | =1.23.3 | |
| Fedora | =10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00204.html
- https://bugzilla.redhat.com/show_bug.cgi?id=476529
- https://exchange.xforce.ibmcloud.com/vulnerabilities/50324
- http://bugs.gentoo.org/show_bug.cgi?id=250715
- http://admin.fedoraproject.org/updates/zoneminder-1.23.3-2.fc10
- http://admin.fedoraproject.org/updates/F10/FEDORA-2008-11484
- https://access.redhat.com/security/cve/CVE-2008-6755
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6755
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=476529
Frequently Asked Questions
What is the severity of CVE-2008-6755?
The severity of CVE-2008-6755 is considered low, primarily because it involves a misconfiguration rather than an exploit that can be easily leveraged.
How do I fix CVE-2008-6755?
To fix CVE-2008-6755, change the permissions on /etc/zm.conf to a more secure setting that allows appropriate users to read the configuration.
Which software is affected by CVE-2008-6755?
CVE-2008-6755 specifically affects ZoneMinder version 1.23.3 running on Fedora 10.
What happens if CVE-2008-6755 is exploited?
If exploited, CVE-2008-6755 could result in unauthorized access to sensitive configuration information that should be protected.
Is there a workaround for CVE-2008-6755?
A possible workaround for CVE-2008-6755 is to manually set proper file permissions for /etc/zm.conf to limit unauthorized access.
- collector/nvd-historical
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-6755
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/zoneminder
- canonical/zoneminder
- version/zoneminder/1.23.3
- vendor/redhat
- canonical/fedora
- version/fedora/10