Lucene search

Ubuntu.comUB:CVE-2020-21583

HistoryAug 22, 2023 - 12:00 a.m.

CVE-2020-21583

2023-08-2200:00:00

ubuntu.com

cve-2020-21583

hwclock

unauthorized privilege escalation

arbitrary command execution

security vulnerability

6.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

An issue was discovered in hwclock.13-v2.27 allows attackers to gain
escalated privlidges or execute arbitrary commands via the path parameter
when setting the date.

Bugs

<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786804>

Notes

Author	Note
	Priority reason: Non-default and improbable configuration
mdeslaur	This is only an issue when hwclock was modified by the administrator to be setuid root, which should never be done. Ubuntu packages are not shipped with the setuid bit set. To prevent misconfiguration, version 2.27 now prevent it from being run setuid.

OSVersionArchitecturePackageVersionFilename
ubuntu14.04noarchutil-linux< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	14.04	noarch	util-linux	< any	UNKNOWN

References

launchpad.net/bugs/cve/CVE-2020-21583

nvd.nist.gov/vuln/detail/CVE-2020-21583

packetstormsecurity.com/files/132061/hwclock-Privilege-Escalation.html

security-tracker.debian.org/tracker/CVE-2020-21583

www.cve.org/CVERecord?id=CVE-2020-21583

6.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for UB:CVE-2020-21583