CVE-2017-18078
Published: 29 January 2018
systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.
Notes
Author | Note |
---|---|
ratliff | mitigated by fs.protected_hardlinks = 1 |
mdeslaur | patch simply refuses to set hardlink file permissions if the kernel hardening feature is turned off, which may result in breakage. We will not be releasing an update for this issue as our default configuration is not vulnerable. |
Priority
Status
Package | Release | Status |
---|---|---|
systemd Launchpad, Ubuntu, Debian |
artful |
Ignored
|
trusty |
Ignored
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
|
|
Patches: upstream: https://github.com/systemd/systemd/commit/5579f85663d10269e7ac7464be6548c99cea4ada |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |