RHEL 5 / 6 : spacewalk-backend (RHSA-2013:0848)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated spacewalk-backend packages that fix one security issue are now
available for Red Hat Network Satellite 5.3, 5.4, and 5.5.

The Red Hat Security Response Team has rated this update as having
moderate security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from
the CVE link in the References section.

Red Hat Network (RHN) Satellite is a system management tool for
Linux-based infrastructures. It allows for provisioning, monitoring,
and remote management of multiple Linux deployments with a single,
centralized tool.

It was discovered that Red Hat Network Satellite did not fully check
the authenticity of a client beyond the initial authentication check
during an Inter-Satellite Sync operation. If a remote attacker were to
modify the satellite-sync client to skip the initial authentication
call, they could obtain all channel content from any Red Hat Network
Satellite server that could be reached, even if Inter-Satellite Sync
support was disabled. (CVE-2013-2056)

This issue was discovered by Jan Pazdziora of the Red Hat Satellite
Engineering team.

Users of Red Hat Network Satellite 5.3, 5.4, and 5.5 are advised to
upgrade to these updated packages, which resolve this issue. For this
update to take effect, Red Hat Network Satellite must be restarted.
Refer to the Solution section for details.

See also :

https://www.redhat.com/security/data/cve/CVE-2013-2056.html
http://rhn.redhat.com/errata/RHSA-2013-0848.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Red Hat Local Security Checks

Nessus Plugin ID: 66537 ()

Bugtraq ID: 60075

CVE ID: CVE-2013-2056