August 3, 2021 FN51
A permission issue in the Cohesity Linux agent may allow privilege escalation in version 6.5.1b to 6.5.1d-hotfix10, 6.6.0a to 6.6.0b-hotfix1. Vulnerability can allow an underprivileged linux user, if meets certain environment criteria, to gain additional privileges.
The vulnerability provides a user additional privileges if certain environment conditions are met.
CVSS Base Score : 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
To remediate the vulnerability, Cohesity recommends upgrading the linux agent to 6.5.1e or 6.6.0b with hotfix2. Customers using Linux agent through script installer can disregard this advisory.
Vulnerability does not impact if Linux agents were installed using Script Installer.
Software downloads are available here: http://downloads.cohesity.com If you have any questions, please reach out to Cohesity Support. email: support@cohesity.com
Insecure Permissions
Cohesity, Inc
Cohesity Linux Agent - Affected versions are Cohesity Linux Agent versions 6.5.1b to 6.5.1d-hotfix10, 6.6.0a to 6.6.0b-hotfix1. Vulnerability does not impact if Linux agents were installed using Script Installer.
Cohesity Linux Backup Agent
Local
True
To exploit the vulnerability attacker needs local access to the server
True
Cohesity acknowledges the efforts of Philippe Grégoire, who identified and disclosed the vulnerability, and Rocco Amico who participated in its responsible disclosure.