CERTVU:405955util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility
6.2 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
0.004 Low
EPSS
Percentile
71.7%
Overview
The util-linux package contains a race condition vulnerability that can be used to elevate privileges on the system.
Description
util-linux is shipped with Red Hat Linux and numerous other Linux distributions. It contains a collection of utility programs, such as fstab, mkfs, and chfn. The BindView RAZOR Team has discovered that because setpwnam.c inadequately locks a temporary file used when making changes to /etc/passwd, a race condition can be used to elevate privileges on the system.
For further details, please see the Bindview Advisory.
Impact
A local user may be able to elevate their privileges on the system.
Solution
Apply a patch from your vendor, or, an immediate workaround (provided by BindView) is to remove setuid flags from /usr/bin/chfn and /usr/bin/chsh. To remediate the vulnerability, patch the source code as follows.
`— util-linux-2.11n-old/login-utils/setpwnam.c Mon Jul 31 08:50:39 2000
+++ util-linux-2.11n/login-utils/setpwnam.c Wed Jun 12 21:37:12 2002
@@ -98,7 +98,8 @@
/* sanity check */
for (x = 0; x < 3; x++) {
if (x > 0) sleep(1);
- fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT, 0644);
- // Never share the temporary file.
- fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT|O_EXCL, 0644);
if (fd == -1) {
umask(oldumask);
return -1;`
Vendor Information
405955
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Red Hat Inc. __ Affected
Notified: June 26, 2002 Updated: July 10, 2002
Status
Affected
Vendor Statement
Red Hat distributes the util-linux package in all Red Hat Linux distributions. Updated packages containing a fix for this vulnerability will be available along with our advisory at the URL below. At the same time users of the Red Hat Network will be able to update their systems using the ‘up2date’ tool.
<http://rhn.redhat.com/errata/RHSA-2002-132.html>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Sun Microsystems Inc. __ Affected
Notified: June 26, 2002 Updated: July 17, 2002
Status
Affected
Vendor Statement
This issue affects the following Sun Cobalt platforms:
Sun Cobalt RaQ
Sun Cobalt RaQ 2
Sun Cobalt RaQ 3
Sun Cobalt RaQ 4
Sun Cobalt RaQ 550
Sun Cobalt RaQ XTR
Sun Cobalt Cache RaQ series
Sun Cobalt Qube
Sun Cobalt Qube 2
Sun Cobalt Qube 3
Sun Cobalt Control Station
Sun Cobalt are generating patches for this issue presently which will be
available for download from:
<http://sunsolve.sun.com/patches/cobalt>
A SunAlert will be published which details the issue and the patch
information which will be available from:
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
The SCO Group (SCO Linux) __ Affected
Notified: June 26, 2002 Updated: October 30, 2002
Status
Affected
Vendor Statement
Caldera OpenLinux is vulnerable to this race condition, and we are preparing a fix.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please also see <ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2002-043.0.txt>.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Alcatel __ Not Affected
Notified: June 26, 2002 Updated: July 24, 2002
Status
Not Affected
Vendor Statement
In relation to this CERT advisory on security vulnerabilities in util-linux, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. An initial analysis has shown that none of our products is affected when used as delivered to customers. The security of our customers’ networks is of highest priority for Alcatel. Therefore, investigations are going on and updates will be provided if necessary. Customers may contact their Alcatel support representative for more details.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Cray Inc. __ Not Affected
Notified: June 26, 2002 Updated: July 10, 2002
Status
Not Affected
Vendor Statement
Cray, Inc. is not vulnerable to this problem because chfn is not accessible to any users of our products.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Debian __ Not Affected
Notified: June 26, 2002 Updated: June 27, 2002
Status
Not Affected
Vendor Statement
Debian does not ship any of the util-linux login-utils tools; instead we use the corresponding tools from the ‘shadow’ package, which use a different locking technique.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
IBM __ Not Affected
Notified: June 26, 2002 Updated: July 17, 2002
Status
Not Affected
Vendor Statement
IBM’s AIX operating system is not vulnerable to the above issues. While IBM does supply open source packages for AIX through the AIX Toolbox for Linux Applications, the util-linux package is not one of them.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Lotus Software __ Not Affected
Notified: June 26, 2002 Updated: July 11, 2002
Status
Not Affected
Vendor Statement
Lotus does not ship any Linux distributions.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Microsoft Corporation __ Not Affected
Notified: June 26, 2002 Updated: July 12, 2002
Status
Not Affected
Vendor Statement
This vulnerability does not affect us.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
NetBSD __ Not Affected
Notified: June 26, 2002 Updated: July 12, 2002
Status
Not Affected
Vendor Statement
NetBSD is not affected by this issue. Password locking functions in NetBSD are provided by libutil. The lock file has been opened O_EXCL in libutil since at least May, 1996 - we did not check further back, since that covers NetBSD 1.2 and later.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Openwall GNU/*/Linux __ Not Affected
Updated: August 15, 2002
Status
Not Affected
Vendor Statement
Openwall GNU/*/Linux (Owl) is not vulnerable. We’re using a version of chfn(1) utility from the shadow suite (with our modifications) rather than one from util-linux. This decision was made during Owl development specifically to ensure compatible password file locking across the system as a whole. Additionally, on Owl, chfn(1) isn’t available to regular users by default, although that is a supported owl-control setting.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
SuSE Inc. __ Not Affected
Notified: June 26, 2002 Updated: July 15, 2002
Status
Not Affected
Vendor Statement
SuSE Linux is not vulnerable to this issue, as we do no use the passwd utility from util-linux. Instead, we are using the ones from the shadow or pwdutils suite, which properly opens the file with O_EXCL (in addition to using lockpwdf).
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Xerox Corporation __ Not Affected
Notified: June 26, 2002 Updated: May 30, 2003
Status
Not Affected
Vendor Statement
A response to this vulnerability is available from our web site: <http://www.xerox.com/security>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
3Com Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
AT&T Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Apple Computer Inc. Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
BSDI Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Cisco Systems Inc. Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Compaq Computer Corporation Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Computer Associates Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Data General Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
F5 Networks Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
FreeBSD Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Fujitsu Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Guardian Digital Inc. Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Hewlett-Packard Company Unknown
Notified: June 26, 2002 Updated: June 27, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Intel Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Juniper Networks Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Lachman Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Lucent Technologies Unknown
Notified: June 26, 2002 Updated: June 27, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
MandrakeSoft Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Multinet Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
NEC Corporation Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Network Appliance Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Nortel Networks Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
OpenBSD Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Oracle Corporation Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
SGI Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Sequent Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Sony Corporation Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Unisphere Networks Unknown
Notified: June 26, 2002 Updated: June 28, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Unisys Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
Wind River Systems Inc. Unknown
Notified: June 26, 2002 Updated: July 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23405955 Feedback>).
View all 43 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
<http://www.securityfocus.com/bid/5344>
Acknowledgements
Thanks to Michal Zalewski, BindView RAZOR, for reporting this vulnerability.
This document was written by Ian A Finlay.
Other Information
| CVE IDs: | CVE-2002-0638 |
|---|---|
| Severity Metric: | 10.97 Date Public: |
References
Related
6.2 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
0.004 Low
EPSS
Percentile
71.7%