Debian/Ubuntu Cron Symlink Validation Flaw Lets Local Users Bypass Security Restrictions
|
SecurityTracker Alert ID: 1038651 |
SecurityTracker URL: http://securitytracker.com/id/1038651
|
CVE Reference:
CVE-2017-9525
(Links to External Site)
|
Date: Jun 9 2017
|
Impact:
Root access via local system
|
Vendor Confirmed: Yes
|
Version(s): 3.0pl1-128 and prior on Debian; 3.0pl1-128ubuntu2 and prior on Ubuntu
|
Description:
A vulnerability was reported in Cron on Debian/Ubuntu. A local user can bypass security restrictions.
A local user can with crontab group privileges can conduct a symlink attack to exploit a flaw in the postinst maintainer script to bypass crontab privilege separation controls and gain root privileges on the target system.
The original advisory is available at:
http://www.openwall.com/lists/oss-security/2017/06/08/3
Solar Designer reported this vulnerability.
|
Impact:
A local user can bypass security controls on the target system.
|
Solution:
No solution was available at the time of this entry.
|
Cause:
Access control error
|
Underlying OS: Linux (Debian), Linux (Ubuntu)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|