Symantec VERITAS Cluster Server (VCS) could allow unauthorized root access

vcs-unauth-root-access (10082) The risk level is classified as HighHigh Risk

Description:

VERITAS Cluster Server (VCS), developed by VERITAS, is used in cluster environments for Windows and Unix-based operating systems. A vulnerability in VERITAS Cluster Server (VCS) running on Sun Solaris version 1.3.0, HP-UX 1.3.1 and Windows NT version 1.2 could allow a remote attacker to gain unauthorized root access to the system.

Platforms Affected:

  • Symantec, VERITAS Cluster Server 1.2
  • Symantec, VERITAS Cluster Server 1.3
  • Symantec, VERITAS Cluster Server 1.3 Solaris
  • Symantec, VERITAS Cluster Server 1.3 HP-UX

Remedy:

For VERITAS Cluster Server (VCS) 1.3.0 running on Sun Solaris:
Apply the patch for this vulnerability, as listed in Veritas TechNote ID: 238143. See References.

For VERITAS Cluster Server (VCS) 1.3.1 running on HP-UX:
Apply the patch for this vulnerability, as listed in Veritas TechNote ID: 238143. See References.

For VERITAS Cluster Server (VCS) 1.2 running on Windows NT: Upgrade to the latest version of VCS (1.2.1 or later) as listed in Veritas TechNote ID: 238143. See References.

Consequences:

Gain Access

References:

  • Veritas TechNote ID: 238143, A security flaw in VERITAS Cluster Server (VCS) has been discovered which allows for potential unauthorized root access. at http://seer.support.veritas.com/docs/238143.htm.
  • Veritas Web site, Welcome to VERITAS! at http://www.veritas.com/us/.
  • BID-5688: Veritas Cluster Server Root Compromise Vulnerability
  • CVE-2002-1817: Unknown vulnerability in Veritas Cluster Server (VCS) 1.2 for WindowsNT, Cluster Server 1.3.0 for Solaris, and Cluster Server 1.3.1 for HP-UX allows attackers to gain privileges via unknown attack vectors.
  • SECTRACK ID: 1005204: VERITAS Cluster Server Has an Unspecified Hole That Lets Remote Users Gain Root Level Access

Reported:

Sep 09, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page