CVE-2017-5551
kernel: S_ISGD is not cleared when setting posix ACLs in tmpfs (CVE-2016-7097 incomplete fix)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097.
La función simple_set_acl en fs/posix_acl.c en el kernel de Linux en versiones anteriores a 4.9.6 preserva el bit setgid durante una llamada setxattr que implica un sistema de archivos tmpfs, lo que permite a usuarios locales obtener privilegios de grupo aprovechando la existencia de un programa setgid con restricciones sobre los permisos de ejecución. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2016-7097.
A vulnerability was found in the Linux kernel in 'tmpfs' file system. When file permissions are modified via 'chmod' and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via 'setxattr' sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way; this allows to bypass the check in 'chmod'.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-01-20 CVE Reserved
- 2017-02-06 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
CAPEC
References (9)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/95717 | Third Party Advisory | |
http://www.securitytracker.com/id/1038053 | Vdb Entry |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://www.debian.org/security/2017/dsa-3791 | 2019-10-03 | |
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.6 | 2019-10-03 | |
https://access.redhat.com/security/cve/CVE-2017-5551 | 2017-09-06 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | <= 4.9.5 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.9.5" | - |
Affected
|