Rapid7 Vulnerability & Exploit Database

CESA-2002:137: util-linux security update

Back to Search

CESA-2002:137: util-linux security update

Severity
6
CVSS
(AV:L/AC:H/Au:N/C:C/I:C/A:C)
Published
08/12/2002
Created
07/25/2018
Added
03/12/2010
Modified
07/04/2017

Description

The util-linux package shipped with CentOS Linux Advanced Server contains a locally exploitable vulnerability.

The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. The 'chfn' utility included in this package allows users to modify personal information stored in the system-wide password file, /etc/passwd. In order to modify this file, this application is installed setuid root. Under certain conditions, a carefully crafted attack sequence can be performed to exploit a complex file locking and modification race present in this utility allowing changes to be made to /etc/passwd. In order to successfully exploit the vulnerability and perform privilege escalation there is a need for a minimal administrator interaction. Additionally, the password file must be over 4 kilobytes, and the local attackers entry must not be in the last 4 kilobytes of the password file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0638 to this issue. An interim workaround is to remove setuid flags from /usr/bin/chfn and /usr/bin/chsh. All users of CentOS Linux should update to the errata util-linux packages which contain a patch to correct this vulnerability. Many thanks to Michal Zalewski of Bindview for alerting us to this issue.

Solution(s)

  • centos-upgrade-util-linux

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;