Overview
The QNX PPPoEd daemon is vulnerable to command spoofing that may lead to arbitrary code execution.
Description
QNX is an RTOS (Realtime Operating System). QNX is used in many different devices and industries, including, but not limited to
The PPPoEd service is used to create Point-to-Point Protocol over Ethernet (PPPoE) connections on QNX systems. The PPPoEd daemon uses the mount system command to load and start a networking device during PPPoE connection negotiation. However, PPPoEd relies on the This issue has been confirmed in QNX OS versions:
|
Impact
The PPPoEd process is executed with root privileges by default. As a result, an attacker may be able to execute arbitrary code with root privileges. |
Solution
Limit Access to PPPoEd |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
Acknowledgements
This vulnerability was publicly reported by Julio Cesar Fort.
This document was written by Jeff Gennari.
Other Information
CVE IDs: | None |
Severity Metric: | 13.17 |
Date Public: | 2004-09-05 |
Date First Published: | 2005-02-01 |
Date Last Updated: | 2005-02-03 16:56 UTC |
Document Revision: | 180 |