Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-13405

The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.

Published

2018-07-06T14:29:01.223

Last Modified

2024-11-21T03:47:02.490

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.8 (HIGH)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:P/I:P/A:P

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

3.9

Impact Score

6.4

Weaknesses

Type: Primary
CWE-269

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	linux	linux_kernel	≤ 3.16	Yes
Operating System	debian	debian_linux	8.0	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	canonical	ubuntu_linux	14.04	Yes
Operating System	canonical	ubuntu_linux	16.04	Yes
Operating System	canonical	ubuntu_linux	16.04	Yes
Operating System	canonical	ubuntu_linux	18.04	Yes
Operating System	fedoraproject	fedora	34	Yes
Operating System	fedoraproject	fedora	35	Yes
Application	redhat	mrg_realtime	2.0	Yes
Application	redhat	virtualization	4.0	Yes
Operating System	redhat	enterprise_linux_aus	7.4	Yes
Operating System	redhat	enterprise_linux_desktop	6.0	Yes
Operating System	redhat	enterprise_linux_desktop	7.0	Yes
Operating System	redhat	enterprise_linux_eus	7.4	Yes
Operating System	redhat	enterprise_linux_eus	7.5	Yes
Operating System	redhat	enterprise_linux_for_real_time	7	Yes
Operating System	redhat	enterprise_linux_server	6.0	Yes
Operating System	redhat	enterprise_linux_server	7.0	Yes
Operating System	redhat	enterprise_linux_server_aus	6.6	Yes
Operating System	redhat	enterprise_linux_server_aus	7.2	Yes
Operating System	redhat	enterprise_linux_server_aus	7.3	Yes
Operating System	redhat	enterprise_linux_server_tus	7.2	Yes
Operating System	redhat	enterprise_linux_server_tus	7.3	Yes
Operating System	redhat	enterprise_linux_server_tus	7.4	Yes
Operating System	redhat	enterprise_linux_workstation	6.0	Yes
Operating System	redhat	enterprise_linux_workstation	7.0	Yes
Application	f5	big-ip_access_policy_manager	< 13.1.3.5	Yes
Application	f5	big-ip_access_policy_manager	< 14.1.3.1	Yes
Application	f5	big-ip_access_policy_manager	< 15.0.1.4	Yes
Application	f5	big-ip_access_policy_manager	15.1.0	Yes
Application	f5	big-ip_access_policy_manager	16.0.0	Yes
Application	f5	big-ip_advanced_firewall_manager	< 13.1.3.5	Yes
Application	f5	big-ip_advanced_firewall_manager	< 14.1.3.1	Yes
Application	f5	big-ip_advanced_firewall_manager	< 15.0.1.4	Yes
Application	f5	big-ip_advanced_firewall_manager	15.1.0	Yes
Application	f5	big-ip_advanced_firewall_manager	16.0.0	Yes
Application	f5	big-ip_analytics	< 13.1.3.5	Yes
Application	f5	big-ip_analytics	< 14.1.3.1	Yes
Application	f5	big-ip_analytics	< 15.0.1.4	Yes
Application	f5	big-ip_analytics	15.1.0	Yes
Application	f5	big-ip_analytics	16.0.0	Yes
Application	f5	big-ip_application_acceleration_manager	< 13.1.3.5	Yes
Application	f5	big-ip_application_acceleration_manager	< 14.1.3.1	Yes
Application	f5	big-ip_application_acceleration_manager	< 15.0.1.4	Yes
Application	f5	big-ip_application_acceleration_manager	15.1.0	Yes
Application	f5	big-ip_application_acceleration_manager	16.0.0	Yes
Application	f5	big-ip_application_security_manager	< 13.1.3.5	Yes
Application	f5	big-ip_application_security_manager	< 14.1.3.1	Yes
Application	f5	big-ip_application_security_manager	< 15.0.1.4	Yes
Application	f5	big-ip_application_security_manager	15.1.0	Yes
Application	f5	big-ip_application_security_manager	16.0.0	Yes
Application	f5	big-ip_domain_name_system	< 13.1.3.5	Yes
Application	f5	big-ip_domain_name_system	< 14.1.3.1	Yes
Application	f5	big-ip_domain_name_system	< 15.0.1.4	Yes
Application	f5	big-ip_domain_name_system	15.1.0	Yes
Application	f5	big-ip_domain_name_system	16.0.0	Yes
Application	f5	big-ip_edge_gateway	< 13.1.3.5	Yes
Application	f5	big-ip_edge_gateway	< 14.1.3.1	Yes
Application	f5	big-ip_edge_gateway	< 15.0.1.4	Yes
Application	f5	big-ip_edge_gateway	15.1.0	Yes
Application	f5	big-ip_edge_gateway	16.0.0	Yes
Application	f5	big-ip_fraud_protection_service	< 13.1.3.5	Yes
Application	f5	big-ip_fraud_protection_service	< 14.1.3.1	Yes
Application	f5	big-ip_fraud_protection_service	< 15.0.1.4	Yes
Application	f5	big-ip_fraud_protection_service	15.1.0	Yes
Application	f5	big-ip_fraud_protection_service	16.0.0	Yes
Application	f5	big-ip_global_traffic_manager	< 13.1.3.5	Yes
Application	f5	big-ip_global_traffic_manager	< 14.1.3.1	Yes
Application	f5	big-ip_global_traffic_manager	< 15.0.1.4	Yes
Application	f5	big-ip_global_traffic_manager	15.1.0	Yes
Application	f5	big-ip_global_traffic_manager	16.0.0	Yes
Application	f5	big-ip_link_controller	< 13.1.3.5	Yes
Application	f5	big-ip_link_controller	< 14.1.3.1	Yes
Application	f5	big-ip_link_controller	< 15.0.1.4	Yes
Application	f5	big-ip_link_controller	15.1.0	Yes
Application	f5	big-ip_link_controller	16.0.0	Yes
Application	f5	big-ip_local_traffic_manager	< 13.1.3.5	Yes
Application	f5	big-ip_local_traffic_manager	< 14.1.3.1	Yes
Application	f5	big-ip_local_traffic_manager	< 15.0.1.4	Yes
Application	f5	big-ip_local_traffic_manager	15.1.0	Yes
Application	f5	big-ip_local_traffic_manager	16.0.0	Yes
Application	f5	big-ip_policy_enforcement_manager	< 13.1.3.5	Yes
Application	f5	big-ip_policy_enforcement_manager	< 14.1.3.1	Yes
Application	f5	big-ip_policy_enforcement_manager	< 15.0.1.4	Yes
Application	f5	big-ip_policy_enforcement_manager	15.1.0	Yes
Application	f5	big-ip_policy_enforcement_manager	16.0.0	Yes
Application	f5	big-ip_webaccelerator	< 13.1.3.5	Yes
Application	f5	big-ip_webaccelerator	< 14.1.3.1	Yes
Application	f5	big-ip_webaccelerator	< 15.0.1.4	Yes
Application	f5	big-ip_webaccelerator	15.1.0	Yes
Application	f5	big-ip_webaccelerator	16.0.0	Yes

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Patch, Vendor Advisory ([email protected])
http://openwall.com/lists/oss-security/2018/07/13/2 Mailing List, Patch, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/106503 Broken Link ([email protected])
https://access.redhat.com/errata/RHSA-2018:2948 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:3083 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:3096 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:0717 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2476 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2566 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2696 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2730 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:4159 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:4164 Third Party Advisory ([email protected])
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=0b3369840cd61c23e2b9241093737b4c395cb406 Mailing List, Patch, Vendor Advisory ([email protected])
https://github.com/torvalds/linux/commit/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Patch, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2018/08/msg00014.html Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRBNBX73SAFKQWBOX76SLMWPTKJPVGEJ/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKKIAUMR5FAYLZ7HLEPOXMKAAE3BYBQ/ ([email protected])
https://support.f5.com/csp/article/K00854051 Third Party Advisory ([email protected])
https://twitter.com/grsecurity/status/1015082951204327425 Third Party Advisory ([email protected])
https://usn.ubuntu.com/3752-1/ Third Party Advisory ([email protected])
https://usn.ubuntu.com/3752-2/ Third Party Advisory ([email protected])
https://usn.ubuntu.com/3752-3/ Third Party Advisory ([email protected])
https://usn.ubuntu.com/3753-1/ Third Party Advisory ([email protected])
https://usn.ubuntu.com/3753-2/ Third Party Advisory ([email protected])
https://usn.ubuntu.com/3754-1/ Third Party Advisory ([email protected])
https://www.debian.org/security/2018/dsa-4266 Third Party Advisory ([email protected])
https://www.exploit-db.com/exploits/45033/ Exploit, Third Party Advisory, VDB Entry ([email protected])
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://openwall.com/lists/oss-security/2018/07/13/2 Mailing List, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/106503 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2948 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:3083 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:3096 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:0717 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2476 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2566 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2696 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2730 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:4159 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:4164 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=0b3369840cd61c23e2b9241093737b4c395cb406 Mailing List, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/torvalds/linux/commit/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2018/08/msg00014.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRBNBX73SAFKQWBOX76SLMWPTKJPVGEJ/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKKIAUMR5FAYLZ7HLEPOXMKAAE3BYBQ/ (af854a3a-2127-422b-91ae-364da2661108)
https://support.f5.com/csp/article/K00854051 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://twitter.com/grsecurity/status/1015082951204327425 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/3752-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/3752-2/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/3752-3/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/3753-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/3753-2/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/3754-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2018/dsa-4266 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/45033/ Exploit, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)