CVE-2021-3864

2022-08-2600:00:00

ubuntu.com

103

suid binary setting

dumpable flag

core dump permissions

local user

escalation of privileges

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

5.1%

JSON

A flaw was found in the way the dumpable flag setting was handled when
certain SUID binaries executed its descendants. The prerequisite is a SUID
binary that sets real UID equal to effective UID, and real GID equal to
effective GID. The descendant will then have a dumpable value set to 1. As
a result, if the descendant process crashes and core_pattern is set to a
relative value, its core dump is stored in the current directory with
uid:gid permissions. An unprivileged local user with eligible root SUID
binary could use this flaw to place core dumps into root-owned directories,
potentially resulting in escalation of privileges.

Bugs

Notes

Author	Note
sbeattie	no fix upstream as of 2022-01-27

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchlinux< anyUNKNOWN
ubuntu20.04noarchlinux< anyUNKNOWN
ubuntu22.04noarchlinux< anyUNKNOWN
ubuntu23.10noarchlinux< anyUNKNOWN
ubuntu24.04noarchlinux< anyUNKNOWN
ubuntu20.04noarchlinux-aws< anyUNKNOWN
ubuntu22.04noarchlinux-aws< anyUNKNOWN
ubuntu23.10noarchlinux-aws< anyUNKNOWN
ubuntu24.04noarchlinux-aws< anyUNKNOWN
ubuntu20.04noarchlinux-aws-5.15< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	linux	< any	UNKNOWN
ubuntu	20.04	noarch	linux	< any	UNKNOWN
ubuntu	22.04	noarch	linux	< any	UNKNOWN
ubuntu	23.10	noarch	linux	< any	UNKNOWN
ubuntu	24.04	noarch	linux	< any	UNKNOWN
ubuntu	20.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	22.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	23.10	noarch	linux-aws	< any	UNKNOWN
ubuntu	24.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	20.04	noarch	linux-aws-5.15	< any	UNKNOWN