Detections
Analytics

RHEL 6 : luci (RHSA-2013:1603)

high Nessus Plugin ID 71008

Language:

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2013:1603 advisory.

 Luci is a web-based high availability administration application.

 A flaw was found in the way the luci service was initialized. If a system administrator started the luci service from a directory that was writable to by a local user, that user could use this flaw to execute arbitrary code as the root or luci user. (CVE-2013-4482)

 A flaw was found in the way luci generated its configuration file. The file was created as world readable for a short period of time, allowing a local user to gain access to the authentication secrets stored in the configuration file. (CVE-2013-4481)

 These issues were discovered by Jan Pokorn of Red Hat.

 These updated luci packages include numerous bug fixes and two enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.5 Technical Notes, linked to in the References, for information on the most significant of these changes.

 All luci users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing this update, the luci service will be restarted automatically.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected luci package.

See Also

http://www.nessus.org/u?005d9654

http://www.nessus.org/u?39036186

https://access.redhat.com/errata/RHSA-2013:1603

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=1001835

https://bugzilla.redhat.com/show_bug.cgi?id=1001836

https://bugzilla.redhat.com/show_bug.cgi?id=878149

https://bugzilla.redhat.com/show_bug.cgi?id=880363

https://bugzilla.redhat.com/show_bug.cgi?id=883008

https://bugzilla.redhat.com/show_bug.cgi?id=886517

https://bugzilla.redhat.com/show_bug.cgi?id=886576

https://bugzilla.redhat.com/show_bug.cgi?id=917747

https://bugzilla.redhat.com/show_bug.cgi?id=988998

https://bugzilla.redhat.com/show_bug.cgi?id=990321

Plugin Details

Severity: High

ID: 71008

File Name: redhat-RHSA-2013-1603.nasl

Version: 1.18

Type: local

Agent: unix

Published: 11/21/2013

Updated: 4/15/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 6.2

Temporal Score: 4.6

Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2013-4482

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:redhat:enterprise_linux:6, p-cpe:/a:redhat:enterprise_linux:luci

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 11/21/2013

Vulnerability Publication Date: 11/23/2013

Reference Information

CVE: CVE-2013-4481, CVE-2013-4482

BID: 63854, 63859

RHSA: 2013:1603