4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
5.3 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
5.5 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
23.1%
Issue Overview:
Setup in Amazon Linux 2 added /sbin/nologin and /usr/sbin/nologin to /etc/shells. This violates security assumptions made by pam_shells and some daemons which allow access based on a user’s shell being listed in /etc/shells. Under some circumstances, users which had their shell changed to /sbin/nologin could still access the system. (CVE-2018-1113)
Please note: this update removes the /sbin/nologin
and /usr/sbin/nologin
login shells from the /etc/shells
file due to security reasons. Consequently, when the configuration of the Very Secure File Transfer Protocol Daemon, vsftpd, is modified to enable the chroot_local_user
, FTP logins are impossible.
To work around this problem, add /sbin/nologin
or /usr/sbin/nologin
, respectively, to the /etc/shells
file. As a result, a login shell for users that are allowed to use FTP, but not SSH, is available again. However, note that this workaround exposes vsftpd to the security risk described in this advisory.
Affected Packages:
setup
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update setup to update your system.
New Packages:
noarch:
setup-2.8.71-10.amzn2.noarch
src:
setup-2.8.71-10.amzn2.src
Red Hat: CVE-2018-1113
Mitre: CVE-2018-1113
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | noarch | setup | < 2.8.71-10.amzn2 | setup-2.8.71-10.amzn2.noarch.rpm |
4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
5.3 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
5.5 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
23.1%