PZOS-2013-002: PZOS RPC Unauthorized Object Ownership Change

Summary

A vulnerability in the RPC (remote procedure call) implementation on the Panzura PZOS version 3.0.6.0.5075.E or below has been discovered. This vulnerability may result in an unauthorized user modifying object ownership via a structured RPC request.

Details

A condition can exist in the PZOS execution of remote procedure calls through the sending of a specifically constructed request an authenticated but unauthorized remote attacker could modify object ownership.

An exploit (none known to exist at this time) of this vulnerability could result in unauthorized data modification, specifically ownership of files and folders within the hosted files.

Resolution

Upgrade the Panzura software to PZOS version 5.0.1.0 or higher; any future major or minor releases will also correct the issue. Release notes for this version will outline details as necessary for this correction.