On 02/12/2017 06:01 PM, Hartmut Goebel wrote: > Am 12.02.2017 um 15:37 schrieb David Craven: >> I think that it is a minor >> issue at best, since anything that isn't accessible over the network or >> running >> with any sort of privileges is not very useful. > > I strongly disagree! > > Every piece of software available on the system may the intruder. The > server may not be running so it can not be attacked in the first place. > But if an intruder gains (unprivileged) access to the system, he might > be able to start that server software. Then he might use it for > privilege escalation (if the server software is vulnerable), as a > back-channel or for attacking further systems. >
An attacker with enough privileges to run Murmur has enough privileges to install Murmur anyway (perhaps but not necessarily by using Guix). Do I misunderstand? Regards, Florian