CVE-2021-42257

Description

check_smart before 6.9.1 allows unintended drive access by an unprivileged user because it only checks for a substring match of a device path (the /dev/bus substring and a number), aka an unanchored regular expression.

Related CPE's

acheck_smart_projectcheck_smart********

References

https://www.claudiokuenzler.com/monitoring-plugins/check_smart.php

Third Party Advisory

https://bugzilla.suse.com/show_bug.cgi?id=1183057

ExploitIssue TrackingPatchThird Party Advisory

https://www.claudiokuenzler.com/blog/1068/check_smart-6.9.1-security-fix-release-pseudo-device-path

Third Party Advisory

[oss-security] 20211014 CVE-2021-42257: check_smart.pl: unprivileged user can alter hard drive settings

ExploitThird Party Advisory

CvssV3 impact

BaseSeverity

HIGH

ConfidentialityImpact

NONE

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

LOCAL

AvailabilityImpact

HIGH

IntegrityImpact

HIGH

PrivilegesRequired

LOW

BaseScore

7.1

VectorString

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Version

3.1

UserInteraction

NONE

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

NONE

AvailabilityImpact

PARTIAL

IntegrityImpact

PARTIAL

BaseScore

3.6

VectorString

AV:L/AC:L/Au:N/C:N/I:P/A:P

Version

2.0

AccessVector

LOCAL

Authentication

NONE

Created by Yello
About Severity.io