CVE-2020-8833

22.04.2020, 22:15

Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport allows for a possible privilege escalation opportunity. If fs.protected_symlinks is disabled, this can be exploited between the os.open and os.chown calls when the Apport cron script clears out crash files of size 0. A symlink with the same name as the deleted file can then be created upon which chown will be called, changing the file owner to root. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.

TOCTOU

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.6 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
canonical	CNA	5.6 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 12%

Vendor	Product	Version
canonical	ubuntu_linux	14.04
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	18.04
canonical	ubuntu_linux	19.10
apport_project	apport	-

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

apport

focal	Fixed 2.20.11-0ubuntu22 released
eoan	Fixed 2.20.11-0ubuntu8.8 released
bionic	Fixed 2.20.9-0ubuntu7.14 released
xenial	Fixed 2.20.1-0ubuntu2.23 released
trusty	Fixed 2.14.1-0ubuntu3.29+esm4 released

Known Exploits!

Common Weakness Enumeration

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

References

https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1862933

https://usn.ubuntu.com/4315-1/

https://usn.ubuntu.com/4315-2/

https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1862933

https://usn.ubuntu.com/4315-1/

https://usn.ubuntu.com/4315-2/