CVE-2013-3632

    • Resolved

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • CVE-2013-3632

      Saw this on the National Vulnerability Database.
      web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3632

      Has it been addressed?
      1. OpenMediaVault 4.1.6 (Arrakis) :thumbup:
        HARDWARE: ZOTAC ZBOX CI323 Nano + Patriot Torch SSD 60GB + WD MyBook 1TB
        PROCESSOR: Intel(R) Celeron(R) N3150 1.6GHz
        SYSTEM: Debian Stretch (4.16.0-0.bpo.1-amd64)
        PLUGINS: nut, omvextrasorg, backup, transmissionbt, dnsmasq

      2. OpenMediaVault 4.1.3 (Arrakis) :thumbup:
        HARDWARE: Pogoplug Classic (POGO-E02) + SanDisk Cruzer Blade 16GB + Maxtor 160GB
        PROCESSOR: Feroceon 88FR131 rev 1 (v5l) 1.2GHz
        SYSTEM: Debian Stretch (4.10.9-kirkwood-tld-1 armv5tel)
        PLUGINS: nut, omvextrasorg, backup, downloader, dnsmasq

    • That is a year old. Being able to execute commands as root by an authenticated user is a feature not vulnerability. A lot of cron jobs need to run as root for proper privileges.
      omv 4.1.8.2 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.8
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please read this before posting a question.
      Please don't PM for support... Too many PMs!
    • "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.
    • I am glad to hear that it's a non-issue. However, since this vulnerability info is on many sites and its wording vaguely suggests any authenticated user can run commands as root, I think it's necessary for OMV to set the record straight and put everyone's mind at ease.
      1. OpenMediaVault 4.1.6 (Arrakis) :thumbup:
        HARDWARE: ZOTAC ZBOX CI323 Nano + Patriot Torch SSD 60GB + WD MyBook 1TB
        PROCESSOR: Intel(R) Celeron(R) N3150 1.6GHz
        SYSTEM: Debian Stretch (4.16.0-0.bpo.1-amd64)
        PLUGINS: nut, omvextrasorg, backup, transmissionbt, dnsmasq

      2. OpenMediaVault 4.1.3 (Arrakis) :thumbup:
        HARDWARE: Pogoplug Classic (POGO-E02) + SanDisk Cruzer Blade 16GB + Maxtor 160GB
        PROCESSOR: Feroceon 88FR131 rev 1 (v5l) 1.2GHz
        SYSTEM: Debian Stretch (4.10.9-kirkwood-tld-1 armv5tel)
        PLUGINS: nut, omvextrasorg, backup, downloader, dnsmasq

    • Since openmediavault 0.5.32 it is possible to disable user root in cron jobs by setting the environment variable OMV_USERMGMT_ENUMERATE_USER_ROOT to FALSE in /etc/default/openmediavault. See github.com/openmediavault/open…28d20248a6f7dd797db03967b.
      Absolutely no support through PM!

      I must not fear.
      Fear is the mind-killer.
      Fear is the little-death that brings total obliteration.
      I will face my fear.
      I will permit it to pass over me and through me.
      And when it has gone past I will turn the inner eye to see its path.
      Where the fear has gone there will be nothing.
      Only I will remain.

      Litany against fear by Bene Gesserit