CVE-2016-7097
kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions.
La implementación del sistema de archivos en el kernel de Linux hasta la versión 4.8.2 preserva el bit setgid durante una llamada setxattr, lo que permite a usuarios locales obtener privilegios de grupo aprovechando la existencia de un programa setgid con restricciones en permisos de ejecución.
It was found that when file permissions were modified via chmod and the user modifying them was not in the owning group or capable of CAP_FSETID, the setgid bit would be cleared. Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way. This could allow a local user to gain group privileges via certain setgid applications.
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix: An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-08-26 CVE Reserved
- 2016-10-16 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-285: Improper Authorization
- CWE-287: Improper Authentication
CAPEC
References (18)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2016/08/26/3 | Mailing List |
|
| http://www.securityfocus.com/bid/92659 | Vdb Entry | |
| http://www.securitytracker.com/id/1038201 | Vdb Entry | |
| https://source.android.com/security/bulletin/2017-04-01 | X_refsource_confirm | |
| https://support.f5.com/csp/article/K31603170?utm_source=f5support&%3Butm_medium=RSS | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2017-0817.html | 2023-02-12 | |
| http://www.ubuntu.com/usn/USN-3146-1 | 2023-02-12 | |
| http://www.ubuntu.com/usn/USN-3146-2 | 2023-02-12 | |
| http://www.ubuntu.com/usn/USN-3147-1 | 2023-02-12 | |
| https://access.redhat.com/errata/RHSA-2017:1842 | 2023-02-12 | |
| https://access.redhat.com/errata/RHSA-2017:2077 | 2023-02-12 | |
| https://access.redhat.com/errata/RHSA-2017:2669 | 2023-02-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1368938 | 2017-09-06 | |
| https://access.redhat.com/security/cve/CVE-2016-7097 | 2017-09-06 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | <= 4.8.2 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.8.2" | - |
Affected
| ||||||