CVE-2017-2616 - A race condition was found in util-linux before 2.32.1 in the way su handled the management of child

CVE-2017-2616

Summary

A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions.

References

Vulnerable Configurations

cpe:2.3:a:util-linux_project:util-linux:2.24.2-1:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.24.2-1:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.29:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.29:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.29.1:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.29.1:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.29.2:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.29.2:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.30:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.30:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.30.1:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.30.1:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.30.2:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.30.2:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.31:*:*:*:*:*:*:*
cpe:2.3:a:util-linux_project:util-linux:2.31:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

CVSS

Base:	4.7 (as of 09-10-2019 - 23:26)
Impact:
Exploitability:

CWE

CWE-362

CAPEC

Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with his version and cause the system to read the malicious file.
Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.

Access

Vector	Complexity	Authentication
LOCAL	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	COMPLETE

cvss-vector via4

AV:L/AC:M/Au:N/C:N/I:N/A:C

redhat via4

advisories

bugzilla

id	1418710
title	CVE-2017-2616 util-linux: Sending SIGKILL to other processes with root privileges via su

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 6 is installed
oval oval:com.redhat.rhba:tst:20111656003

AND
comment coreutils is earlier than 0:8.4-46.el6
oval oval:com.redhat.rhsa:tst:20170654001
comment coreutils is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20131652002
AND
comment coreutils-libs is earlier than 0:8.4-46.el6
oval oval:com.redhat.rhsa:tst:20170654003
comment coreutils-libs is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20131652004

rhsa

id	RHSA-2017:0654
released	2017-03-21
severity	Moderate
title	RHSA-2017:0654: coreutils security and bug fix update (Moderate)

bugzilla

id	1418710
title	CVE-2017-2616 util-linux: Sending SIGKILL to other processes with root privileges via su

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND
comment libblkid is earlier than 0:2.23.2-33.el7_3.2
oval oval:com.redhat.rhsa:tst:20170907001
comment libblkid is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20111691002

AND

comment libblkid-devel is earlier than 0:2.23.2-33.el7_3.2
oval oval:com.redhat.rhsa:tst:20170907003
comment libblkid-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20111691004

AND
comment libmount is earlier than 0:2.23.2-33.el7_3.2
oval oval:com.redhat.rhsa:tst:20170907005
comment libmount is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20162605006

AND

comment libmount-devel is earlier than 0:2.23.2-33.el7_3.2
oval oval:com.redhat.rhsa:tst:20170907007
comment libmount-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20162605008

AND
comment libuuid is earlier than 0:2.23.2-33.el7_3.2
oval oval:com.redhat.rhsa:tst:20170907009
comment libuuid is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20111691006

AND

comment libuuid-devel is earlier than 0:2.23.2-33.el7_3.2
oval oval:com.redhat.rhsa:tst:20170907011
comment libuuid-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20111691008

AND
comment util-linux is earlier than 0:2.23.2-33.el7_3.2
oval oval:com.redhat.rhsa:tst:20170907013
comment util-linux is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20162605014
AND
comment uuidd is earlier than 0:2.23.2-33.el7_3.2
oval oval:com.redhat.rhsa:tst:20170907015
comment uuidd is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20111691012

rhsa

id	RHSA-2017:0907
released	2017-04-12
severity	Moderate
title	RHSA-2017:0907: util-linux security and bug fix update (Moderate)

rpms

coreutils-0:8.4-46.el6
coreutils-debuginfo-0:8.4-46.el6
coreutils-libs-0:8.4-46.el6
libblkid-0:2.23.2-33.el7_3.2
libblkid-devel-0:2.23.2-33.el7_3.2
libmount-0:2.23.2-33.el7_3.2
libmount-devel-0:2.23.2-33.el7_3.2
libuuid-0:2.23.2-33.el7_3.2
libuuid-devel-0:2.23.2-33.el7_3.2
util-linux-0:2.23.2-33.el7_3.2
util-linux-debuginfo-0:2.23.2-33.el7_3.2
uuidd-0:2.23.2-33.el7_3.2

refmap via4

bid	96404
confirm	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2616 https://github.com/karelzak/util-linux/commit/dffab154d29a288aa171ff50263ecc8f2e14a891
debian	DSA-3793
gentoo	GLSA-201706-02
sectrack	1038271

Last major update

09-10-2019 - 23:26

Published

27-07-2018 - 19:29

Last modified

09-10-2019 - 23:26