apcupsd vulnerabilities
3/29/03
CAN 2003-0098
CAN 2003-0099
Impact
A remote attacker could execute arbitrary commands with
root privileges.
Background
The APC UPS daemon (apcupsd)
is a utility which performs a clean shutdown on systems
using APC UPS equipment whenever there is a power failure
long enough to cause the UPS to run out of power.
The Problem
A format string vulnerability in the log_event
function and multiple buffer overflows elsewhere in apcupsd
could allow a remote attacker to execute arbitrary commands
by sending specially crafted commands to the apcupsd service.
apcupsd versions 3.8.5 and earlier and versions 3.10 through 3.10.4 are affected.
Resolution
Upgrade to apcupsd 3.8.6
or 3.10.5 or higher, or install a fix from your operating
system vendor.
Where can I read more about this?
This vulnerability was reported in
SCO Security Advisory 2003-015 and
SuSE Security Announcement 2003:022.