CVE-2016-9638

EUVD-2016-10440
In BMC Patrol before 9.13.10.02, the binary "listguests64" is configured with the setuid bit. However, when executing it, it will look for a binary named "virsh" using the PATH environment variable. The "listguests64" program will then run "virsh" using root privileges. This allows local users to elevate their privileges to root.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
Affected Products (NVD)
VendorProductVersion
bmcpatrol
𝑥
≤ 9.13.10.01
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.nes.fr/securitylab/index.php/2016/12/02/privilege-escalation-on-bmc-patrol
http://www.securityfocus.com/bid/95009
http://www.securitytracker.com/id/1037385
http://www.nes.fr/securitylab/index.php/2016/12/02/privilege-escalation-on-bmc-patrol
http://www.securityfocus.com/bid/95009
http://www.securitytracker.com/id/1037385