Detections
Analytics

Debian DSA-2533-1 : pcp - several vulnerabilities

medium Nessus Plugin ID 61652

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

It was discovered that Performance Co-Pilot (pcp), a framework for performance monitoring, contains several vulnerabilities.

 - CVE-2012-3418 Multiple buffer overflows in the PCP protocol decoders can cause PCP clients and servers to crash or, potentially, execute arbitrary code while processing crafted PDUs.

 - CVE-2012-3419 The 'linux' PMDA used by the pmcd daemon discloses sensitive information from the /proc file system to unauthenticated clients.

 - CVE-2012-3420 Multiple memory leaks processing crafted requests can cause pmcd to consume large amounts of memory and eventually crash.

 - CVE-2012-3421 Incorrect event-driven programming allows malicious clients to prevent other clients from accessing the pmcd daemon.

To address the information disclosure vulnerability, CVE-2012-3419, a new 'proc' PMDA was introduced, which is disabled by default. If you need access to this information, you need to enable the 'proc' PMDA.

Solution

Upgrade the pcp packages.

For the stable distribution (squeeze), this problem has been fixed in version 3.3.3-squeeze2.

See Also

https://security-tracker.debian.org/tracker/CVE-2012-3418

https://security-tracker.debian.org/tracker/CVE-2012-3419

https://security-tracker.debian.org/tracker/CVE-2012-3420

https://security-tracker.debian.org/tracker/CVE-2012-3421

https://packages.debian.org/source/squeeze/pcp

https://www.debian.org/security/2012/dsa-2533

Plugin Details

Severity: Medium

ID: 61652

File Name: debian_DSA-2533.nasl

Version: 1.12

Type: local

Agent: unix

Published: 8/24/2012

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:pcp, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 8/23/2012

Reference Information

CVE: CVE-2012-3418, CVE-2012-3419, CVE-2012-3420, CVE-2012-3421

BID: 55041

DSA: 2533