CVE-2020-24330
First published: Thu Aug 13 2020(Updated: )
An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges instead of by the tss user, it fails to drop the root gid privilege when no longer needed.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 | |
| Trousers Project Trousers | <=0.3.14 | |
| Fedoraproject Fedora | =33 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/186762
- https://www.ibm.com/support/pages/node/6493729 (Advisory)
- http://www.openwall.com/lists/oss-security/2020/08/14/1
- https://bugzilla.suse.com/show_bug.cgi?id=1164472
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD/
- https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch
- https://sourceforge.net/p/trousers/mailman/message/37015817/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD/
Frequently Asked Questions
What is CVE-2020-24330?
CVE-2020-24330 is a vulnerability in TrouSerS that allows a local authenticated attacker to gain elevated privileges on the system.
How does CVE-2020-24330 affect IBM Cloud Pak for Security (CP4S)?
IBM Cloud Pak for Security (CP4S) versions 1.7.2.0, 1.7.1.0, and 1.7.0.0 are affected by CVE-2020-24330.
How does CVE-2020-24330 affect Fedora?
Fedora version 33 is affected by CVE-2020-24330.
What is the severity of CVE-2020-24330?
CVE-2020-24330 has a severity rating of 7.8 (High).
How can I fix CVE-2020-24330?
To mitigate CVE-2020-24330, update TrouSerS to version 0.3.15 or higher and start the tcsd daemon as the tss user instead of root.
- agent/type
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/author
- agent/weakness
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/event
- agent/tags
- agent/first-publish-date
- agent/trending
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.7.2.0
- version/ibm cloud pak for security (cp4s)/1.7.1.0
- version/ibm cloud pak for security (cp4s)/1.7.0.0
- vendor/trousers project
- canonical/trousers project trousers
- version/trousers project trousers/0.3.14
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33