CVE-2020-24331: High severity ibm cloud pak for security vulnerability

Q: What is CVE-2020-24331?

CVE-2020-24331 is a vulnerability found in TrouSerS through version 0.3.14.

Q: How does CVE-2020-24331 affect IBM Cloud Pak for Security (CP4S)?

CVE-2020-24331 affects IBM Cloud Pak for Security (CP4S) versions 1.7.2.0, 1.7.1.0, and 1.7.0.0.

Q: How does CVE-2020-24331 affect Fedora?

CVE-2020-24331 affects Fedora version 33.

Q: What is the severity of CVE-2020-24331?

CVE-2020-24331 has a severity rating of 7.8, classified as high.

Q: How can I fix CVE-2020-24331?

To fix CVE-2020-24331, update TrouSerS to a version beyond 0.3.14.

Published Aug 13, 2020

Updated

An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the tss user still has read and write access to the /etc/tcsd.conf file (which contains various settings related to this daemon).

Other sources

TrouSerS could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw when the tcsd daemon is started with root privileges. An attacker could exploit this vulnerability to gain read and write privileges on the system.

— IBM

Affected Software

5 affected components

IBM Cloud Pak for Security (CP4S)<=1.7.2.0

IBM Cloud Pak for Security (CP4S)<=1.7.1.0

IBM Cloud Pak for Security (CP4S)<=1.7.0.0

Trousers Project Trousers<=0.3.14

Fedoraproject Fedora=33

Remediation

Patch Available

https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch

Event History

Aug 13, 2020

CVE Published

via MITRE·04:19 PM

Data Sourced

via MITRE·04:19 PM

Description

Parent advisories

This vulnerability appears in the following advisories.

IBM-6493729

Frequently Asked Questions

What is CVE-2020-24331?

CVE-2020-24331 is a vulnerability found in TrouSerS through version 0.3.14.

How does CVE-2020-24331 affect IBM Cloud Pak for Security (CP4S)?