CVE-2016-7097
kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions.
La implementación del sistema de archivos en el kernel de Linux hasta la versión 4.8.2 preserva el bit setgid durante una llamada setxattr, lo que permite a usuarios locales obtener privilegios de grupo aprovechando la existencia de un programa setgid con restricciones en permisos de ejecución.
It was found that when file permissions were modified via chmod and the user modifying them was not in the owning group or capable of CAP_FSETID, the setgid bit would be cleared. Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way. This could allow a local user to gain group privileges via certain setgid applications.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-08-26 CVE Reserved
- 2016-10-16 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-285: Improper Authorization
- CWE-287: Improper Authentication
CAPEC
References (18)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2016/08/26/3 | Mailing List | |
http://www.securityfocus.com/bid/92659 | Vdb Entry | |
http://www.securitytracker.com/id/1038201 | Vdb Entry | |
https://source.android.com/security/bulletin/2017-04-01 | X_refsource_confirm | |
https://support.f5.com/csp/article/K31603170?utm_source=f5support&%3Butm_medium=RSS | X_refsource_confirm |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://rhn.redhat.com/errata/RHSA-2017-0817.html | 2023-02-12 | |
http://www.ubuntu.com/usn/USN-3146-1 | 2023-02-12 | |
http://www.ubuntu.com/usn/USN-3146-2 | 2023-02-12 | |
http://www.ubuntu.com/usn/USN-3147-1 | 2023-02-12 | |
https://access.redhat.com/errata/RHSA-2017:1842 | 2023-02-12 | |
https://access.redhat.com/errata/RHSA-2017:2077 | 2023-02-12 | |
https://access.redhat.com/errata/RHSA-2017:2669 | 2023-02-12 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1368938 | 2017-09-06 | |
https://access.redhat.com/security/cve/CVE-2016-7097 | 2017-09-06 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | <= 4.8.2 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.8.2" | - |
Affected
|