1546241 – (CVE-2018-7169) CVE-2018-7169 shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation

Bug 1546241 (CVE-2018-7169) - CVE-2018-7169 shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation

Summary: CVE-2018-7169 shadow-utils: newgidmap allows unprivileged user to drop supple...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2018-7169
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1546242 1546243
Blocks:	1546245
TreeView+	depends on / blocked

Reported:	2018-02-16 17:27 UTC by Adam Mariš
Modified:	2021-02-17 00:48 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An issue was discovered in newgidmap, in shadow-utils, that allows an unprivileged user to be placed in a user namespace where setgroups is permitted. An attacker could use this flaw to remove himself from a supplementary group, which may allow access to certain filesystem paths, if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths.
Clone Of:
Environment:
Last Closed:	2018-03-01 16:48:13 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2018-02-16 17:27:09 UTC

An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.

Bug report:

https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357

Upstream patch:

https://github.com/shadow-maint/shadow/pull/97

Comment 1 Adam Mariš 2018-02-16 17:27:41 UTC

Created shadow-utils tracking bugs for this issue:

Affects: fedora-all [bug 1546242]

Comment 3 Riccardo Schirone 2018-02-28 10:07:21 UTC

There is an ongoing effort upstream to make newgidmap more configurable and let the administrator choose which users can use setgroups(2) in the user namespace.

https://github.com/shadow-maint/shadow/pull/99

Comment 5 Riccardo Schirone 2018-03-01 16:45:16 UTC

Statement:

This issue did not affect the versions of shadow-utils as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not provide newgidmap program.

Note You need to log in before you can comment on or make changes to this bug.