Fedora Account System
Red Hat Associate
Red Hat Customer
If the HOME environment variable is unset or empty, top will read its configuration file from the current working directory without any security check. If a user runs top with HOME unset in an attacker-controlled directory, the attacker could acieve privilege escalation by exploiting one of several vulnerabilities in the config_file() function.
Acknowledgments: Name: Qualys Research Labs
Public via: http://seclists.org/oss-sec/2018/q2/122
External References: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
Created procps-ng tracking bugs for this issue: Affects: fedora-all [bug 1579639]
CVSSv3 scoring has been reviewed. Changed the AC (Attack Complexity) metric from Low to High, as exploiting this flaw relies on the target user running `top` with an unset or empty `HOME` environment variable and in a directory controlled by the attacker. This is unusual, and certainly beyond the attacker's control. Note that our score differs from NVD in one respect: User Interaction: None (NVD) vs Required (Red Hat). Exploitation requires the target user to run `top` in an attacker-controlled directory. `top` is an interactive tool: while it does support a batch mode that might be used from a script, the extra conditions for exploitation are extremely unlikely to be met by a script that is run unattended. We regard plausible attack scenarios using this flaw to target a user that is interactively running `top`.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2189 https://access.redhat.com/errata/RHSA-2019:2189
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:0595 https://access.redhat.com/errata/RHSA-2020:0595
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2020:1265 https://access.redhat.com/errata/RHSA-2020:1265
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:1464 https://access.redhat.com/errata/RHSA-2020:1464