ID CVE-2005-2876
Summary umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags.
References
Vulnerable Configurations
  • cpe:2.3:a:andries_brouwer:util-linux:2.8.1_alpha
    cpe:2.3:a:andries_brouwer:util-linux:2.8.1_alpha
  • cpe:2.3:a:andries_brouwer:util-linux:2.8_12
    cpe:2.3:a:andries_brouwer:util-linux:2.8_12
  • cpe:2.3:a:andries_brouwer:util-linux:2.9i
    cpe:2.3:a:andries_brouwer:util-linux:2.9i
  • cpe:2.3:a:andries_brouwer:util-linux:2.9w
    cpe:2.3:a:andries_brouwer:util-linux:2.9w
  • cpe:2.3:a:andries_brouwer:util-linux:2.10f
    cpe:2.3:a:andries_brouwer:util-linux:2.10f
  • cpe:2.3:a:andries_brouwer:util-linux:2.10m
    cpe:2.3:a:andries_brouwer:util-linux:2.10m
  • cpe:2.3:a:andries_brouwer:util-linux:2.10p
    cpe:2.3:a:andries_brouwer:util-linux:2.10p
  • cpe:2.3:a:andries_brouwer:util-linux:2.11f
    cpe:2.3:a:andries_brouwer:util-linux:2.11f
  • cpe:2.3:a:andries_brouwer:util-linux:2.11n
    cpe:2.3:a:andries_brouwer:util-linux:2.11n
  • cpe:2.3:a:andries_brouwer:util-linux:2.11q
    cpe:2.3:a:andries_brouwer:util-linux:2.11q
  • cpe:2.3:a:andries_brouwer:util-linux:2.11r
    cpe:2.3:a:andries_brouwer:util-linux:2.11r
  • cpe:2.3:a:andries_brouwer:util-linux:2.11w
    cpe:2.3:a:andries_brouwer:util-linux:2.11w
  • cpe:2.3:a:andries_brouwer:util-linux:2.11x
    cpe:2.3:a:andries_brouwer:util-linux:2.11x
  • cpe:2.3:a:andries_brouwer:util-linux:2.11y
    cpe:2.3:a:andries_brouwer:util-linux:2.11y
  • cpe:2.3:a:andries_brouwer:util-linux:2.11z
    cpe:2.3:a:andries_brouwer:util-linux:2.11z
  • cpe:2.3:a:andries_brouwer:util-linux:2.12a
    cpe:2.3:a:andries_brouwer:util-linux:2.12a
  • cpe:2.3:a:andries_brouwer:util-linux:2.12b
    cpe:2.3:a:andries_brouwer:util-linux:2.12b
  • cpe:2.3:a:andries_brouwer:util-linux:2.12i
    cpe:2.3:a:andries_brouwer:util-linux:2.12i
  • cpe:2.3:a:andries_brouwer:util-linux:2.12j
    cpe:2.3:a:andries_brouwer:util-linux:2.12j
  • cpe:2.3:a:andries_brouwer:util-linux:2.12k
    cpe:2.3:a:andries_brouwer:util-linux:2.12k
  • cpe:2.3:a:andries_brouwer:util-linux:2.12o
    cpe:2.3:a:andries_brouwer:util-linux:2.12o
  • cpe:2.3:a:andries_brouwer:util-linux:2.12p
    cpe:2.3:a:andries_brouwer:util-linux:2.12p
  • cpe:2.3:a:andries_brouwer:util-linux:2.12q
    cpe:2.3:a:andries_brouwer:util-linux:2.12q
  • cpe:2.3:a:andries_brouwer:util-linux:2.13_pre1
    cpe:2.3:a:andries_brouwer:util-linux:2.13_pre1
  • cpe:2.3:a:andries_brouwer:util-linux:2.13_pre2
    cpe:2.3:a:andries_brouwer:util-linux:2.13_pre2
CVSS
Base: 7.2 (as of 14-09-2005 - 08:23)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-782.NASL
    description Updated util-linux and mount packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. The mount package contains the mount, umount, swapon and swapoff programs. A bug was found in the way the umount command is executed by normal users. It may be possible for a user to gain elevated privileges if the user is able to execute the 'umount -r' command on a mounted file system. The file system will be re-mounted only with the 'readonly' flag set, clearing flags such as 'nosuid' and 'noexec'. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2876 to this issue. This update also fixes a hardlink bug in the script command for Red Hat Enterprise Linux 2.1. If a local user places a hardlinked file named 'typescript' in a directory they have write access to, the file will be overwritten if the user running script has write permissions to the destination file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2001-1494 to this issue. All users of util-linux and mount should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21858
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21858
    title CentOS 3 / 4 : util-linux / mount (CESA-2005:782)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-825.NASL
    description David Watson discovered a bug in mount as provided by util-linux and other packages such as loop-aes-utils that allows local users to bypass filesystem access restrictions by re-mounting it read-only.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 19794
    published 2005-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19794
    title Debian DSA-825-1 : loop-aes-utils - privilege escalation
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-167.NASL
    description David Watson disovered that the umount utility, when using the '-r' cpmmand, could remove some restrictive mount options such as 'nosuid'. IF /etc/fstab contained user-mountable removable devices that specified nosuid, a local attacker could exploit this flaw to execute arbitrary programs with root privileges by calling 'umount -r' on a removable device. The updated packages have been patched to ensure that '-r' can only be called by the root user.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 19922
    published 2005-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19922
    title Mandrake Linux Security Advisory : util-linux (MDKSA-2005:167)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-184-1.NASL
    description David Watson discovered that 'umount -r' removed some restrictive mount options like the 'nosuid' flag. If /etc/fstab contains user-mountable removable devices which specify the 'nosuid' flag (which is common practice for such devices), a local attacker could exploit this to execute arbitrary programs with root privileges by calling 'umount -r' on a removable device. This does not affect the default Ubuntu configuration. Since Ubuntu mounts removable devices automatically, there is normally no need to configure them manually in /etc/fstab. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 20595
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20595
    title Ubuntu 4.10 / 5.04 : util-linux vulnerability (USN-184-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-782.NASL
    description Updated util-linux and mount packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. The mount package contains the mount, umount, swapon and swapoff programs. A bug was found in the way the umount command is executed by normal users. It may be possible for a user to gain elevated privileges if the user is able to execute the 'umount -r' command on a mounted file system. The file system will be re-mounted only with the 'readonly' flag set, clearing flags such as 'nosuid' and 'noexec'. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2876 to this issue. This update also fixes a hardlink bug in the script command for Red Hat Enterprise Linux 2.1. If a local user places a hardlinked file named 'typescript' in a directory they have write access to, the file will be overwritten if the user running script has write permissions to the destination file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2001-1494 to this issue. All users of util-linux and mount should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 20048
    published 2005-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20048
    title RHEL 2.1 / 3 / 4 : util-linux and mount (RHSA-2005:782)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200509-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-200509-15 (util-linux: umount command validation error) When a regular user mounts a filesystem, they are subject to restrictions in the /etc/fstab configuration file. David Watson discovered that when unmounting a filesystem with the '-r' option, the read-only bit is set, while other bits, such as nosuid or nodev, are not set, even if they were previously. Impact : An unprivileged user facing nosuid or nodev restrictions can umount -r a filesystem clearing those bits, allowing applications to be executed suid, or have device nodes interpreted. In the case where the user can freely modify the contents of the filesystem, privilege escalation may occur as a custom program may execute with suid permissions. Workaround : Two workarounds exist, first, the suid bit can be removed from the umount utility, or users can be restricted from mounting and unmounting filesystems in /etc/fstab.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 19814
    published 2005-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19814
    title GLSA-200509-15 : util-linux: umount command validation error
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-823.NASL
    description David Watson discovered a bug in mount as provided by util-linux and other packages such as loop-aes-utils that allows local users to bypass filesystem access restrictions by re-mounting it read-only.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 19792
    published 2005-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19792
    title Debian DSA-823-1 : util-linux - privilege escalation
oval via4
accepted 2013-04-29T04:09:58.563-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags.
family unix
id oval:org.mitre.oval:def:10921
status accepted
submitted 2010-07-09T03:56:16-04:00
title umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags.
version 23
redhat via4
rpms
  • util-linux-0:2.11y-31.11
  • mount-0:2.11y-31.11
  • losetup-0:2.11y-31.11
  • util-linux-0:2.12a-16.EL4.12
refmap via4
bid 14816
bugtraq 20050912 util-linux: unintentional grant of privileges by umount
debian
  • DSA-823
  • DSA-825
fedora FLSA:168326
misc http://support.avaya.com/elmodocs2/security/ASA-2006-014.htm
osvdb 19369
secunia
  • 16785
  • 16988
  • 17004
  • 17027
  • 17133
  • 17154
  • 18502
sunalert 101960
suse SUSE-SR:2005:021
trustix 2005-0049
ubuntu USN-184
xf utillinux-umount-gain-privileges(22241)
Last major update 17-10-2016 - 23:31
Published 13-09-2005 - 19:03
Last modified 19-10-2018 - 11:34
Back to Top