Rhino Security Labs

IBM AIX lquerylv Local Privilege Escalation Vulnerability
[CVE-2016-6079]

Vulnerability Details

CVSS Rating: 7.8 (high)

CVE-2016-6079

Disclosing Company: Rhino Security Labs

Date: 02/15/2017

Status: Published

Affected software/version:
IBM AIX 5.3, 6.1, 7.1, and 7.2

Disclosure

Disclosure Date

02/15/2017

Vulnerability Description

The 'lquerylv' binary contained a regression issue which circumvented fixes for CVE-2016-6079, which was a Local Privilege Escalation (LPE) vulnerability in AIX's malloc implementation. The vulnerability allows a non-privileged user to escalate to superuser (root) privileges.

CVSS Metrics

CVSS Rating (version 3.0)

7.8 (High)

Impact Score

Exploitability Score

5.9

1.8

Attack Vector

Local Privilege Escalation

Attack Complexity (AC)Low Privileges Required (PR)Low User Interaction (UI)None Scope (S)Unchanged

Confidentiality (C)High Integrity (I)High Availability (A)High