CVE-2018-13405

EUVD-2018-5348

06.07.2018, 14:29

The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	𝑥 ≤ 3.16
debian	debian_linux	8.0
debian	debian_linux	9.0
canonical	ubuntu_linux	14.04
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	18.04
redhat	mrg_realtime	2.0
redhat	virtualization	4.0
redhat	enterprise_linux_aus	7.4
redhat	enterprise_linux_desktop	6.0
redhat	enterprise_linux_desktop	7.0
redhat	enterprise_linux_eus	7.4
redhat	enterprise_linux_eus	7.5
redhat	enterprise_linux_server	6.0
redhat	enterprise_linux_server	7.0
redhat	enterprise_linux_server_aus	6.6
redhat	enterprise_linux_server_aus	7.2
redhat	enterprise_linux_server_aus	7.3
redhat	enterprise_linux_server_tus	7.2
redhat	enterprise_linux_server_tus	7.3
redhat	enterprise_linux_server_tus	7.4
redhat	enterprise_linux_workstation	6.0
redhat	enterprise_linux_workstation	7.0
f5	big-ip_access_policy_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_access_policy_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_access_policy_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_access_policy_manager	15.1.0
f5	big-ip_access_policy_manager	16.0.0
f5	big-ip_advanced_firewall_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_advanced_firewall_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_advanced_firewall_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_advanced_firewall_manager	15.1.0
f5	big-ip_advanced_firewall_manager	16.0.0
f5	big-ip_analytics	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_analytics	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_analytics	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_analytics	15.1.0
f5	big-ip_analytics	16.0.0
f5	big-ip_application_acceleration_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_application_acceleration_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_application_acceleration_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_application_acceleration_manager	15.1.0
f5	big-ip_application_acceleration_manager	16.0.0
f5	big-ip_application_security_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_application_security_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_application_security_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_application_security_manager	15.1.0
f5	big-ip_application_security_manager	16.0.0
f5	big-ip_domain_name_system	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_domain_name_system	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_domain_name_system	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_domain_name_system	15.1.0
f5	big-ip_domain_name_system	16.0.0
f5	big-ip_edge_gateway	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_edge_gateway	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_edge_gateway	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_edge_gateway	15.1.0
f5	big-ip_edge_gateway	16.0.0
f5	big-ip_fraud_protection_service	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_fraud_protection_service	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_fraud_protection_service	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_fraud_protection_service	15.1.0
f5	big-ip_fraud_protection_service	16.0.0
f5	big-ip_global_traffic_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_global_traffic_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_global_traffic_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_global_traffic_manager	15.1.0
f5	big-ip_global_traffic_manager	16.0.0
f5	big-ip_link_controller	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_link_controller	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_link_controller	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_link_controller	15.1.0
f5	big-ip_link_controller	16.0.0
f5	big-ip_local_traffic_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_local_traffic_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_local_traffic_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_local_traffic_manager	15.1.0
f5	big-ip_local_traffic_manager	16.0.0
f5	big-ip_policy_enforcement_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_policy_enforcement_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_policy_enforcement_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_policy_enforcement_manager	15.1.0
f5	big-ip_policy_enforcement_manager	16.0.0
f5	big-ip_webaccelerator	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_webaccelerator	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_webaccelerator	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_webaccelerator	15.1.0
f5	big-ip_webaccelerator	16.0.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
sid	6.11.6-1 fixed
trixie	6.11.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

artful	ignored
bionic	Fixed 4.15.0-33.36 released
cosmic	not-affected
trusty	Fixed 3.13.0-157.207 released
xenial	Fixed 4.4.0-134.160 released

linux-aws

artful	dne
bionic	Fixed 4.15.0-1020.20 released
cosmic	not-affected
trusty	Fixed 4.4.0-1028.31 released
xenial	Fixed 4.4.0-1066.76 released

linux-azure

artful	dne
bionic	Fixed 4.15.0-1022.23 released
cosmic	not-affected
trusty	not-affected
xenial	Fixed 4.15.0-1022.22~16.04.1 released

linux-azure-edge

artful	dne
bionic	not-affected
cosmic	dne
trusty	dne
xenial	Fixed 4.15.0-1022.23 released

linux-euclid

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	ignored

linux-flo

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	ignored

linux-gcp

artful	dne
bionic	Fixed 4.15.0-1018.19 released
cosmic	not-affected
trusty	dne
xenial	Fixed 4.15.0-1018.19~16.04.2 released

linux-gke

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	ignored

linux-goldfish

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	ignored

linux-grouper

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-hwe

artful	dne
bionic	not-affected
cosmic	dne
trusty	dne
xenial	Fixed 4.15.0-33.36~16.04.1 released

linux-hwe-edge

artful	dne
bionic	not-affected
cosmic	dne
trusty	dne
xenial	Fixed 4.15.0-33.36~16.04.1 released

linux-kvm

artful	dne
bionic	Fixed 4.15.0-1020.20 released
cosmic	not-affected
trusty	dne
xenial	Fixed 4.4.0-1032.38 released

linux-lts-trusty

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-lts-utopic

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-lts-vivid

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-lts-wily

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-lts-xenial

artful	dne
bionic	dne
cosmic	dne
trusty	Fixed 4.4.0-134.160~14.04.1 released
xenial	dne

linux-maguro

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-mako

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	ignored

linux-manta

artful	dne
bionic	dne
cosmic	dne
trusty	dne
xenial	dne

linux-oem

artful	dne
bionic	Fixed 4.15.0-1017.20 released
cosmic	not-affected
trusty	dne
xenial	ignored

linux-raspi2

artful	ignored
bionic	Fixed 4.15.0-1021.23 released
cosmic	not-affected
trusty	dne
xenial	Fixed 4.4.0-1095.103 released

linux-snapdragon

artful	ignored
bionic	not-affected
cosmic	dne
trusty	dne
xenial	Fixed 4.4.0-1099.104 released

Known Exploits!

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

http://openwall.com/lists/oss-security/2018/07/13/2

http://www.securityfocus.com/bid/106503

https://access.redhat.com/errata/RHSA-2018:2948

https://access.redhat.com/errata/RHSA-2018:3083

https://access.redhat.com/errata/RHSA-2018:3096

https://access.redhat.com/errata/RHSA-2019:0717

https://access.redhat.com/errata/RHSA-2019:2476

https://access.redhat.com/errata/RHSA-2019:2566

https://access.redhat.com/errata/RHSA-2019:2696

https://access.redhat.com/errata/RHSA-2019:2730

https://access.redhat.com/errata/RHSA-2019:4159

https://access.redhat.com/errata/RHSA-2019:4164

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=0b3369840cd61c23e2b9241093737b4c395cb406

https://github.com/torvalds/linux/commit/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

https://lists.debian.org/debian-lts-announce/2018/08/msg00014.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRBNBX73SAFKQWBOX76SLMWPTKJPVGEJ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKKIAUMR5FAYLZ7HLEPOXMKAAE3BYBQ/

https://support.f5.com/csp/article/K00854051

https://twitter.com/grsecurity/status/1015082951204327425

https://usn.ubuntu.com/3752-1/

https://usn.ubuntu.com/3752-2/

https://usn.ubuntu.com/3752-3/

https://usn.ubuntu.com/3753-1/

https://usn.ubuntu.com/3753-2/

https://usn.ubuntu.com/3754-1/

https://www.debian.org/security/2018/dsa-4266

https://www.exploit-db.com/exploits/45033/