CVE-2018-18955

Published: Nov 16, 2018 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2018-10659 Aliases: GSD-2018-18955
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,0
Source: [email protected]
Attack Vector: local
Attack Complexity: high
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
MEDIUM 4,4
Source: [email protected]
Access Vector: local
Access Complexity: medium
Authentication: none
Confidentiality: partial
Integrity: partial
Availability: partial

Description

AI Translation Available

In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,1222
Percentile
0,9th
Updated

EPSS Score Trend (Last 90 Days)

863

Incorrect Authorization

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control Availability
Potential Impacts:
Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Bypass Protection Mechanism Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)
Applicable Platforms
Technologies: Database Server, Not Technology-Specific, Web Server
Likelihood of Exploit: High
View CWE Details
Exploit

Linux - Broken uid/gid Mapping for Nested User …

Verified Local

Linux - Broken uid/gid Mapping for Nested User Namespaces

Author: Google Security Research Published: Status: Verified
View Exploit Code →
Exploit

Linux - Nested User Namespace idmap Limit Local …

Verified Local

Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)

Author: Metasploit Published: Status: Verified
View Exploit Code →
Exploit

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' …

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (cron Method)

Author: bcoles Published:
View Exploit Code →
Exploit

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' …

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (dbus Method)

Author: bcoles Published:
View Exploit Code →
Exploit

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' …

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (ldpreload Method)

Author: bcoles Published:
View Exploit Code →
Exploit

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' …

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method)

Author: bcoles Published:
View Exploit Code →
Operating System

Ubuntu Linux by Canonical

Product Information
Vendor Canonical
Product Ubuntu Linux
Version 18.10
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Ubuntu Linux by Canonical

Product Information
Vendor Canonical
Product Ubuntu Linux
Version 18.04
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Linux Kernel by Linux

Product Information
Vendor Linux
Product Linux Kernel
Version Range Affected
From 4.15 (inclusive)
To 4.19.2 (exclusive)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Ubuntu Linux by Canonical

Product Information
Vendor Canonical
Product Ubuntu Linux
Version 16.04
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.…
Patch Vendor Advisory
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d2f00…
https://bugs.chromium.org/p/project-zero/issues/detail?id=1…
Patch Third Party Advisory
https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18…
Patch Vendor Advisory
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.19
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19…
Patch Vendor Advisory
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2
https://github.com/torvalds/linux/commit/d2f007dbe7e4c9583e…
Patch Vendor Advisory
https://github.com/torvalds/linux/commit/d2f007dbe7e4c9583eea6eb04d60001e85c6f1…
https://security.netapp.com/advisory/ntap-20190416-0003/
https://security.netapp.com/advisory/ntap-20190416-0003/
https://support.f5.com/csp/article/K39103040
https://support.f5.com/csp/article/K39103040
https://usn.ubuntu.com/3832-1/
Third Party Advisory
https://usn.ubuntu.com/3832-1/
https://usn.ubuntu.com/3833-1/
Third Party Advisory
https://usn.ubuntu.com/3833-1/
https://usn.ubuntu.com/3835-1/
Third Party Advisory
https://usn.ubuntu.com/3835-1/
https://usn.ubuntu.com/3836-1/
Third Party Advisory
https://usn.ubuntu.com/3836-1/
https://usn.ubuntu.com/3836-2/
Third Party Advisory
https://usn.ubuntu.com/3836-2/
https://www.exploit-db.com/exploits/45886/
Exploit Patch Third Party Advisory VDB Entry
https://www.exploit-db.com/exploits/45886/
https://www.exploit-db.com/exploits/45915/
Exploit Third Party Advisory VDB Entry
https://www.exploit-db.com/exploits/45915/
http://www.securityfocus.com/bid/105941
Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/105941
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.…
Patch Vendor Advisory
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d2f00…
https://bugs.chromium.org/p/project-zero/issues/detail?id=1…
Patch Third Party Advisory
https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18…
Patch Vendor Advisory
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.19
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19…
Patch Vendor Advisory
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2
https://github.com/torvalds/linux/commit/d2f007dbe7e4c9583e…
Patch Vendor Advisory
https://github.com/torvalds/linux/commit/d2f007dbe7e4c9583eea6eb04d60001e85c6f1…
https://security.netapp.com/advisory/ntap-20190416-0003/
https://security.netapp.com/advisory/ntap-20190416-0003/
https://support.f5.com/csp/article/K39103040
https://support.f5.com/csp/article/K39103040
https://usn.ubuntu.com/3832-1/
Third Party Advisory
https://usn.ubuntu.com/3832-1/
https://usn.ubuntu.com/3833-1/
Third Party Advisory
https://usn.ubuntu.com/3833-1/
https://usn.ubuntu.com/3835-1/
Third Party Advisory
https://usn.ubuntu.com/3835-1/
https://usn.ubuntu.com/3836-1/
Third Party Advisory
https://usn.ubuntu.com/3836-1/
https://usn.ubuntu.com/3836-2/
Third Party Advisory
https://usn.ubuntu.com/3836-2/
https://www.exploit-db.com/exploits/45886/
Exploit Patch Third Party Advisory VDB Entry
https://www.exploit-db.com/exploits/45886/
https://www.exploit-db.com/exploits/45915/
Exploit Third Party Advisory VDB Entry
https://www.exploit-db.com/exploits/45915/
http://www.securityfocus.com/bid/105941
Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/105941