CVE-2018-18955
Linux Nested User Namespace idmap Limit Local Privilege Escalation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
8Exploited in Wild
-Decision
Descriptions
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
En el kernel de Linux, de las versiones 4.15.x hasta las 4.19.x anteriores a la 4.19.2, map_write() en kernel/user_namespace.c permite el escalado de privilegios debido a que gestiona incorrectamente los espacios de nombre de usuario anidados con más de 5 rangos UID o GID. Un usuario que tenga CAP_SYS_ADMIN en un espacio de nombre de usuario afectado puede omitir los controles de acceso en los recursos fuera del espacio de nombre, tal y como queda demostrado con la lectura de /etc/shadow. Esto ocurre debido a que una transformación ID ocurre correctamente para la dirección namespaced-to-kernel, pero no para la dirección kernel-to-namespaced.
Linux has a broken uid/gid mapping for nested user namespaces with greater than 5 ranges.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-11-05 CVE Reserved
- 2018-11-15 First Exploit
- 2018-11-16 CVE Published
- 2023-11-10 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-863: Incorrect Authorization
CAPEC
References (27)
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/45915 | 2024-08-05 | |
| https://www.exploit-db.com/exploits/45886 | 2024-08-05 | |
| https://www.exploit-db.com/exploits/47166 | 2018-11-21 | |
| https://www.exploit-db.com/exploits/47165 | 2019-01-04 | |
| https://www.exploit-db.com/exploits/47167 | 2019-01-04 | |
| https://www.exploit-db.com/exploits/47164 | 2018-11-21 | |
| https://github.com/scheatkode/CVE-2018-18955 | 2022-01-20 | |
| https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb | 2018-11-15 |
| URL | Date | SRC |
|---|---|---|
| https://usn.ubuntu.com/3832-1 | 2020-08-24 | |
| https://usn.ubuntu.com/3833-1 | 2020-08-24 | |
| https://usn.ubuntu.com/3835-1 | 2020-08-24 | |
| https://usn.ubuntu.com/3836-1 | 2020-08-24 | |
| https://usn.ubuntu.com/3836-2 | 2020-08-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.15 < 4.19.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 4.19.2" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10" | - |
Affected
| ||||||