Bug 2187184 (CVE-2023-29383) - CVE-2023-29383 shadow: Improper input validation in shadow-utils package utility chfn
Summary: CVE-2023-29383 shadow: Improper input validation in shadow-utils package util...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-29383
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2187190 2187192 2187193 2187194 2187195 2187215 2187216 2187217 2187218 2187219
Blocks: 2187185
TreeView+ depends on / blocked
 
Reported: 2023-04-17 07:00 UTC by Avinash Hanwate
Modified: 2023-07-12 15:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Shadow, where it is possible to inject control characters into fields provided to the SUID program change finger(chfn). Although it is not possible to exploit this directly (for example, adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Using \r manipulations and Unicode characters to work around blocking the : character makes it possible to give the impression that a new user has been added. An adversary can convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
Clone Of:
Environment:
Last Closed: 2023-07-12 15:40:12 UTC
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2023-04-17 07:00:51 UTC 
In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.

https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797
https://github.com/shadow-maint/shadow/pull/687
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/
Comment 1 Sandipan Roy 2023-04-17 07:10:56 UTC 
Created shadow-utils tracking bugs for this issue:

Affects: fedora-all [bug 2187190]
Comment 3 Iker Pedrosa 2023-04-17 07:50:28 UTC 
chfn is provided in Fedora and RHEL by util-linux package, and not by shadow-utils. Thus, should I change the ownership of the bugzillas, or should I close them? It isn't clear to me as I know there is another bugzilla but it is embargoed and I can't see its content.
Comment 5 Sandipan Roy 2023-04-17 07:54:38 UTC 
Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 2187215]
Comment 7 Karel Zak 2023-04-17 08:36:31 UTC 
Did you read the original blog post about this issue? 

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/

There is a note about util-linux:

Remember at the start where I said chfn can be found in util-linux and shadow packages? Well strangely enough, the util-linux version blocks control characters via “iscntrl” in ch-common.c. In addition, it adds the “ character into the blacklist, so perhaps there is a story and some research behind that one too?

IMHO, we can close this CVE for RHEL and Fedora.
Comment 9 Karel Zak 2023-07-12 08:51:00 UTC 
Ping .. see comment #7.
Comment 11 Product Security DevOps Team 2023-07-12 15:40:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29383
Note You need to log in before you can comment on or make changes to this bug.