CVE-2018-7169

15.02.2018, 20:29

An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 52%

Vendor	Product	Version
shadow_project	shadow	4.5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

shadow

bullseye	1:4.8.1-1 fixed
buster	no-dsa
stretch	no-dsa
jessie	no-dsa
wheezy	no-dsa
bookworm	1:4.13+dfsg1-1 fixed
sid	1:4.16.0-4 fixed
trixie	1:4.16.0-4 fixed

Ubuntu Releases

Ubuntu Product

Codename

shadow

jammy	not-affected
impish	not-affected
hirsute	not-affected
groovy	not-affected
focal	not-affected
eoan	ignored
disco	ignored
cosmic	ignored
bionic	Fixed 1:4.5-1ubuntu2.2 released
artful	ignored
xenial	Fixed 1:4.2-3.1ubuntu5.5+esm1 released
trusty	Fixed 1:4.1.5.1-1ubuntu9.5+esm1 released

Known Exploits!

Common Weakness Enumeration

CWE-732 - Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357

https://security.gentoo.org/glsa/201805-09

https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357

https://security.gentoo.org/glsa/201805-09