CVE-2018-13405

06.07.2018, 14:29

The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 35%

Vendor	Product	Version
linux	linux_kernel	𝑥 ≤ 3.16
debian	debian_linux	8.0
debian	debian_linux	9.0
canonical	ubuntu_linux	14.04
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	18.04
redhat	mrg_realtime	2.0
redhat	virtualization	4.0
redhat	enterprise_linux_aus	7.4
redhat	enterprise_linux_desktop	6.0
redhat	enterprise_linux_desktop	7.0
redhat	enterprise_linux_eus	7.4
redhat	enterprise_linux_eus	7.5
redhat	enterprise_linux_server	6.0
redhat	enterprise_linux_server	7.0
redhat	enterprise_linux_server_aus	6.6
redhat	enterprise_linux_server_aus	7.2
redhat	enterprise_linux_server_aus	7.3
redhat	enterprise_linux_server_tus	7.2
redhat	enterprise_linux_server_tus	7.3
redhat	enterprise_linux_server_tus	7.4
redhat	enterprise_linux_workstation	6.0
redhat	enterprise_linux_workstation	7.0
f5	big-ip_access_policy_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_access_policy_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_access_policy_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_access_policy_manager	15.1.0
f5	big-ip_access_policy_manager	16.0.0
f5	big-ip_advanced_firewall_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_advanced_firewall_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_advanced_firewall_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_advanced_firewall_manager	15.1.0
f5	big-ip_advanced_firewall_manager	16.0.0
f5	big-ip_analytics	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_analytics	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_analytics	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_analytics	15.1.0
f5	big-ip_analytics	16.0.0
f5	big-ip_application_acceleration_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_application_acceleration_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_application_acceleration_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_application_acceleration_manager	15.1.0
f5	big-ip_application_acceleration_manager	16.0.0
f5	big-ip_application_security_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_application_security_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_application_security_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_application_security_manager	15.1.0
f5	big-ip_application_security_manager	16.0.0
f5	big-ip_domain_name_system	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_domain_name_system	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_domain_name_system	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_domain_name_system	15.1.0
f5	big-ip_domain_name_system	16.0.0
f5	big-ip_edge_gateway	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_edge_gateway	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_edge_gateway	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_edge_gateway	15.1.0
f5	big-ip_edge_gateway	16.0.0
f5	big-ip_fraud_protection_service	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_fraud_protection_service	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_fraud_protection_service	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_fraud_protection_service	15.1.0
f5	big-ip_fraud_protection_service	16.0.0
f5	big-ip_global_traffic_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_global_traffic_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_global_traffic_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_global_traffic_manager	15.1.0
f5	big-ip_global_traffic_manager	16.0.0
f5	big-ip_link_controller	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_link_controller	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_link_controller	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_link_controller	15.1.0
f5	big-ip_link_controller	16.0.0
f5	big-ip_local_traffic_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_local_traffic_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_local_traffic_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_local_traffic_manager	15.1.0
f5	big-ip_local_traffic_manager	16.0.0
f5	big-ip_policy_enforcement_manager	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_policy_enforcement_manager	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_policy_enforcement_manager	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_policy_enforcement_manager	15.1.0
f5	big-ip_policy_enforcement_manager	16.0.0
f5	big-ip_webaccelerator	13.0.0 ≤ 𝑥 < 13.1.3.5
f5	big-ip_webaccelerator	14.0.0 ≤ 𝑥 < 14.1.3.1
f5	big-ip_webaccelerator	15.0.0 ≤ 𝑥 < 15.0.1.4
f5	big-ip_webaccelerator	15.1.0
f5	big-ip_webaccelerator	16.0.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
trixie	6.11.5-1 fixed
sid	6.11.6-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

cosmic	not-affected
bionic	Fixed 4.15.0-33.36 released
artful	ignored
xenial	Fixed 4.4.0-134.160 released
trusty	Fixed 3.13.0-157.207 released

linux-aws

cosmic	not-affected
bionic	Fixed 4.15.0-1020.20 released
artful	dne
xenial	Fixed 4.4.0-1066.76 released
trusty	Fixed 4.4.0-1028.31 released

linux-azure

cosmic	not-affected
bionic	Fixed 4.15.0-1022.23 released
artful	dne
xenial	Fixed 4.15.0-1022.22~16.04.1 released
trusty	not-affected

linux-azure-edge

cosmic	dne
bionic	not-affected
artful	dne
xenial	Fixed 4.15.0-1022.23 released
trusty	dne

linux-euclid

cosmic	dne
bionic	dne
artful	dne
xenial	ignored
trusty	dne

linux-flo

cosmic	dne
bionic	dne
artful	dne
xenial	ignored
trusty	dne

linux-gcp

cosmic	not-affected
bionic	Fixed 4.15.0-1018.19 released
artful	dne
xenial	Fixed 4.15.0-1018.19~16.04.2 released
trusty	dne

linux-gke

cosmic	dne
bionic	dne
artful	dne
xenial	ignored
trusty	dne

linux-goldfish

cosmic	dne
bionic	dne
artful	dne
xenial	ignored
trusty	dne

linux-grouper

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-hwe

cosmic	dne
bionic	not-affected
artful	dne
xenial	Fixed 4.15.0-33.36~16.04.1 released
trusty	dne

linux-hwe-edge

cosmic	dne
bionic	not-affected
artful	dne
xenial	Fixed 4.15.0-33.36~16.04.1 released
trusty	dne

linux-kvm

cosmic	not-affected
bionic	Fixed 4.15.0-1020.20 released
artful	dne
xenial	Fixed 4.4.0-1032.38 released
trusty	dne

linux-lts-trusty

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-lts-utopic

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-lts-vivid

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-lts-wily

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-lts-xenial

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	Fixed 4.4.0-134.160~14.04.1 released

linux-maguro

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-mako

cosmic	dne
bionic	dne
artful	dne
xenial	ignored
trusty	dne

linux-manta

cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

linux-oem

cosmic	not-affected
bionic	Fixed 4.15.0-1017.20 released
artful	dne
xenial	ignored
trusty	dne

linux-raspi2

cosmic	not-affected
bionic	Fixed 4.15.0-1021.23 released
artful	ignored
xenial	Fixed 4.4.0-1095.103 released
trusty	dne

linux-snapdragon

cosmic	dne
bionic	not-affected
artful	ignored
xenial	Fixed 4.4.0-1099.104 released
trusty	dne

Known Exploits!

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

http://openwall.com/lists/oss-security/2018/07/13/2

http://www.securityfocus.com/bid/106503

https://access.redhat.com/errata/RHSA-2018:2948

https://access.redhat.com/errata/RHSA-2018:3083

https://access.redhat.com/errata/RHSA-2018:3096

https://access.redhat.com/errata/RHSA-2019:0717

https://access.redhat.com/errata/RHSA-2019:2476

https://access.redhat.com/errata/RHSA-2019:2566

https://access.redhat.com/errata/RHSA-2019:2696

https://access.redhat.com/errata/RHSA-2019:2730

https://access.redhat.com/errata/RHSA-2019:4159

https://access.redhat.com/errata/RHSA-2019:4164

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=0b3369840cd61c23e2b9241093737b4c395cb406

https://github.com/torvalds/linux/commit/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

https://lists.debian.org/debian-lts-announce/2018/08/msg00014.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRBNBX73SAFKQWBOX76SLMWPTKJPVGEJ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKKIAUMR5FAYLZ7HLEPOXMKAAE3BYBQ/

https://support.f5.com/csp/article/K00854051

https://twitter.com/grsecurity/status/1015082951204327425

https://usn.ubuntu.com/3752-1/

https://usn.ubuntu.com/3752-2/

https://usn.ubuntu.com/3752-3/

https://usn.ubuntu.com/3753-1/

https://usn.ubuntu.com/3753-2/

https://usn.ubuntu.com/3754-1/

https://www.debian.org/security/2018/dsa-4266

https://www.exploit-db.com/exploits/45033/