CVE-2023-29383

2023-04-1400:00:00

ubuntu.com

shadow 4.13

control character injection

chfn

/etc/passwd

denial of service

unicode characters

system administrator

3.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.0004 Low

EPSS

Percentile

15.6%

JSON

In Shadow 4.13, it is possible to inject control characters into fields
provided to the SUID program chfn (change finger). Although it is not
possible to exploit this directly (e.g., adding a new user fails because \n
is in the block list), it is possible to misrepresent the /etc/passwd file
when viewed. Use of \r manipulations and Unicode characters to work around
blocking of the : character make it possible to give the impression that a
new user has been added. In other words, an adversary may be able to
convince a system administrator to take the system offline (an indirect,
social-engineered denial of service) by demonstrating that “cat
/etc/passwd” shows a rogue user account.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034482>

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchshadow< anyUNKNOWN
ubuntu20.04noarchshadow< anyUNKNOWN
ubuntu22.04noarchshadow< anyUNKNOWN
ubuntu23.10noarchshadow< anyUNKNOWN
ubuntu14.04noarchshadow< anyUNKNOWN
ubuntu16.04noarchshadow< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	shadow	< any	UNKNOWN
ubuntu	20.04	noarch	shadow	< any	UNKNOWN
ubuntu	22.04	noarch	shadow	< any	UNKNOWN
ubuntu	23.10	noarch	shadow	< any	UNKNOWN
ubuntu	14.04	noarch	shadow	< any	UNKNOWN
ubuntu	16.04	noarch	shadow	< any	UNKNOWN