CVE-2018-7738

Ubuntu Security Notice USN-4512-1

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.

En util-linux, en versiones anteriores a la 2.32-rc1, bash-completion/umount permite que usuarios locales obtengan privilegios embebiendo comandos shell en un nombre mountpoint, que se gestiona de manera incorrecta durante un comando umount (en Bash) ejecutado por otro usuario. Esto se demuestra iniciando sesión como root y escribiendo unmount, seguido por un carácter de tabulador para autocompletar.

Bjorn Bosselmann discovered that the umount bash completion from util-linux does not properly handle embedded shell commands in a mountpoint name. An attacker with rights to mount filesystems can take advantage of this flaw for privilege escalation if a user (in particular root) is tricked into using the umount completion while a specially crafted mount is present.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-03-06 CVE Reserved
2018-03-06 CVE Published
2024-12-13 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (6)

URL	Tag	Source
http://www.securityfocus.com/bid/103367	Third Party Advisory
https://github.com/karelzak/util-linux/issues/539	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://bugs.debian.org/892179	2020-09-25
https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55	2020-09-25

URL	Date	SRC
https://usn.ubuntu.com/4512-1	2020-09-25
https://www.debian.org/security/2018/dsa-4134	2020-09-25

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Kernel Search vendor "Kernel"		Util-linux Search vendor "Kernel" for product "Util-linux"				<= 2.31 Search vendor "Kernel" for product "Util-linux" and version " <= 2.31"		-		Affected