CVE-2019-15790

Apport reads PID files with elevated privileges

Severity Score

3.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Apport reads and writes information on a crashed process to /proc/pid with elevated privileges. Apport then determines which user the crashed process belongs to by reading /proc/pid through get_pid_info() in data/apport. An unprivileged user could exploit this to read information about a privileged running process by exploiting PID recycling. This information could then be used to obtain ASLR offsets for a process with an existing memory corruption vulnerability. The initial fix introduced regressions in the Python Apport library due to a missing argument in Report.add_proc_environ in apport/report.py. It also caused an autopkgtest failure when reading /proc/pid and with Python 2 compatibility by reading /proc maps. The initial and subsequent regression fixes are in 2.20.11-0ubuntu16, 2.20.11-0ubuntu8.6, 2.20.9-0ubuntu7.12, 2.20.1-0ubuntu2.22 and 2.14.1-0ubuntu3.29+esm3.

Apport lee y escribe información sobre un proceso bloqueado en /proc/pid con privilegios elevados. Apport determina a qué usuario pertenece el proceso bloqueado leyendo /proc/pid por medio de la función get_pid_info() en el archivo data/apport. Un usuario no privilegiado podría aprovechar esto para leer información sobre un proceso de ejecución privilegiado al explotar el reciclaje PID. Esta información podría ser usada para obtener compensaciones de ASLR para un proceso con una vulnerabilidad de corrupción de la memoria existente. La corrección inicial introdujo regresiones en la biblioteca Python de Apport debido a la falta de argumento en Report.add_proc_environ en apport/report.py. También causó un fallo de autopkgtest cuando se lee /proc/pid y con la compatibilidad con Python 2 por medio de la lectura de mapas /proc. Las correcciones de regresión iniciales y posteriores están en las versiones 2.20.11-0ubuntu16, 2.20.11-0ubuntu8.6, 2.20.9-0ubuntu7.12, 2.20.1-0ubuntu2.22 y 2.14.1-0ubuntu3.29+esm3.

*Credits: Kevin Backhouse

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-08-29 CVE Reserved
2019-10-30 CVE Published
2023-03-08 EPSS Updated
2024-09-16 CVE Updated
2024-09-16 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-250: Execution with Unnecessary Privileges
CWE-269: Improper Privilege Management

CAPEC

References (10)

URL	Tag	Source
http://packetstormsecurity.com/files/172858/Ubuntu-Apport-Whoopsie-DoS-Integer-Overflow.html
https://bugs.launchpad.net/apport/+bug/1854237	Issue Tracking
https://usn.ubuntu.com/4171-1	Third Party Advisory
https://usn.ubuntu.com/4171-2	Third Party Advisory
https://usn.ubuntu.com/4171-3	Third Party Advisory
https://usn.ubuntu.com/4171-4	Third Party Advisory
https://usn.ubuntu.com/4171-5	Third Party Advisory

URL	Date	SRC
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1839795	2024-09-16
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1850929	2024-09-16
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1851806	2024-09-16

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apport Project Search vendor "Apport Project"		Apport Search vendor "Apport Project" for product "Apport"				-		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				19.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				19.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.10"		-		Affected