CVE-2017-9525
Published: 09 June 2017
In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs.
Priority
Low
CVSS 3 base score: 6.7
Status
| Package | Release | Status |
|---|---|---|
|
cron Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
(3.0pl1-134ubuntu1)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(3.0pl1-134ubuntu1)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Needed
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Needed
|
Notes
| Author | Note |
|---|---|
| jj | This appears to be mitigated by kernel symlink restrictions. The crontabs dir has the sticky bit set drwx-wx--T root crontab crontabs which means symlinks within the dir must have the same uid as the target. It is still possible that a cron package update could trigger this race. |
| seth-arnold | I believe that actually _exploiting_ the bug requires updating the cron package. So long as there's no updates for cron, the vulnerable code doesn't run. So if we find a second bug in cron then we really should fix the race condition at the same time, but so long as we don't push a cron update, the vulnerable code just plain doesn't run. the patch just narrows the time window for the race condition. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9525
- http://www.openwall.com/lists/oss-security/2017/06/08/3
- http://bugs.debian.org/864466
- NVD
- Launchpad
- Debian