Bug 2187184 (CVE-2023-29383)
| Summary: | CVE-2023-29383 shadow: Improper input validation in shadow-utils package utility chfn | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ipedrosa, kzak, pbrezina, saroy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in Shadow, where it is possible to inject control characters into fields provided to the SUID program change finger(chfn). Although it is not possible to exploit this directly (for example, adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Using \r manipulations and Unicode characters to work around blocking the : character makes it possible to give the impression that a new user has been added. An adversary can convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-07-12 15:40:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2187190, 2187192, 2187193, 2187194, 2187195, 2187215, 2187216, 2187217, 2187218, 2187219 | ||
| Bug Blocks: | 2187185 | ||
|
Description
Avinash Hanwate
2023-04-17 07:00:51 UTC
Created shadow-utils tracking bugs for this issue: Affects: fedora-all [bug 2187190] chfn is provided in Fedora and RHEL by util-linux package, and not by shadow-utils. Thus, should I change the ownership of the bugzillas, or should I close them? It isn't clear to me as I know there is another bugzilla but it is embargoed and I can't see its content. Created util-linux tracking bugs for this issue: Affects: fedora-all [bug 2187215] Did you read the original blog post about this issue? https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/ There is a note about util-linux: Remember at the start where I said chfn can be found in util-linux and shadow packages? Well strangely enough, the util-linux version blocks control characters via “iscntrl” in ch-common.c. In addition, it adds the “ character into the blacklist, so perhaps there is a story and some research behind that one too? IMHO, we can close this CVE for RHEL and Fedora. Ping .. see comment #7. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-29383 |