Bug 1233052 (CVE-2015-3246) - CVE-2015-3246 libuser: Security flaw in handling /etc/passwd file
Summary: CVE-2015-3246 libuser: Security flaw in handling /etc/passwd file
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3246
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1235517 1235518 1235519 1235520 1246225
Blocks: 1233055 1238777
TreeView+ depends on / blocked
 
Reported: 2015-06-18 07:03 UTC by Huzaifa S. Sidhpurwala
Modified: 2023-05-12 09:29 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root.
Clone Of:
Environment:
Last Closed: 2015-07-29 07:17:50 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1482 0 normal SHIPPED_LIVE Important: libuser security update 2015-07-23 21:59:57 UTC
Red Hat Product Errata RHSA-2015:1483 0 normal SHIPPED_LIVE Important: libuser security update 2015-07-24 00:44:52 UTC

Description Huzaifa S. Sidhpurwala 2015-06-18 07:03:50 UTC
A flaw was found in the way libuser handled /etc/passwd file. Even though traditional programs like passwd, chfn, and chsh work on a temporary copy of /etc/passwd and eventually rename() it, libuser modifies /etc/passwd directly. Unfortunately, if anything goes wrong during these modifications, libuser may leave /etc/passwd in an inconsistent state.

This can cause a local denial-of-service. Also when combined with CVE-2015-3245, it could result in privilege escalation to root user. 


Acknowledgements:

Red Hat would like to thank Qualys for reporting this issue.

Comment 39 Martin Prpič 2015-07-23 12:57:13 UTC
External References:

https://access.redhat.com/articles/1537873

Comment 41 errata-xmlrpc 2015-07-23 18:01:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1482 https://rhn.redhat.com/errata/RHSA-2015-1482.html

Comment 42 Florian Weimer 2015-07-23 18:12:11 UTC
Created libuser tracking bugs for this issue:

Affects: fedora-all [bug 1246225]

Comment 43 errata-xmlrpc 2015-07-23 20:45:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1483 https://rhn.redhat.com/errata/RHSA-2015-1483.html

Comment 46 Florian Weimer 2015-07-24 10:30:58 UTC
Statement:

This issue affects the versions of libuser as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This vulnerability has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 49 Fedora Update System 2015-07-30 13:55:14 UTC
libuser-0.62-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 50 Fedora Update System 2015-08-03 04:30:53 UTC
libuser-0.62-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 51 Vincent Danen 2015-11-02 19:12:48 UTC
Mitigation:

Add pam_warn and pam_deny rules to /etc/pam.d/chfn and /etc/pam.d/chsh to prevent non-root users from using this functionality.  With these edits, the files should contain:

auth       sufficient   pam_rootok.so
auth required pam_warn.so
auth required pam_deny.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

After these changes, attempts by unprivileged users to use chfn and chsh (and the respective functionality in the userhelper program) will fail, and will be logged (by default in /var/log/secure).


Note You need to log in before you can comment on or make changes to this bug.