CVE-ID

CVE-2001-1182

• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
Vulnerability in login in HP-UX 11.00, 11.11, and 10.20 allows restricted shell users to bypass certain security checks and gain privileges.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Date Entry Created
20020315 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Modified (20090302)
Votes (Legacy)
ACCEPT(5) Armstrong, Baker, Cole, Green, Ziese
MODIFY(1) Frech
NOOP(2) Foat, Wall
REVIEWING(1) Christey
Comments (Legacy)
 Frech> XF:hpux-login-unauthorized-access(6860)
 Christey> CIAC:L-114
   URL:http://ciac.llnl.gov/ciac/bulletins/l-114.shtml
   BID:3068
   URL:http://online.securityfocus.com/bid/3068
   
   This would appear to be a dupe of CVE-2001-0797, but the HP advisory
   from CVE-2001-0797 is too vague to be certain.  As quoted in
   the CERT advisory for CVE-2001-0797, HP says:
   "HP-UX does have a benign buffer overflow... [which] has been
   fixed by HP."  HP:HPSBUX0107-160 (CVE-2001-1182) states that
   "The login(1) command allows restricted shell users to
   circumvent security checks" which could be interpreted as
   meaning that HP has found a slightly less-than-benign aspect
   of the overflow, but since (a) the advisory says nothing about
   overflows and (b) the advisory does not include any
   cross-references, it cannot be clear.  There is a difference
   in the release dates as well, however, since the HP advisory
   was released in July 2001 and this CAN was publicized in
   December 2001, which may be sufficient evidence that the
   problems are different.
   
   This probably is not the same issue in login as CVE-2001-0978,
   since different patches are referenced in that CAN.
   
   There is insufficient information to know whether this is the
   same issue as CVE-2001-0094 (kerberos library issues that
   affect kerberized login).

Proposed (Legacy)
20020315
This is an entry on the CVE list, which standardizes names for security problems.