CVE-2017-9525

Published: 9 June 2017

In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs.

Notes

This appears to be mitigated by kernel symlink restrictions. The
crontabs dir has the sticky bit set
drwx-wx--T root crontab crontabs
which means symlinks within the dir must have the same uid as the
target.
It is still possible that a cron package update could trigger this race.

I believe that actually _exploiting_ the bug requires
updating the cron package. So long as there's no updates for cron,
the vulnerable code doesn't run. So if we find a second bug in
cron then we really should fix the race condition at the same
time, but so long as we don't push a cron update, the vulnerable
code just plain doesn't run.
the patch just narrows the time window for the race condition.

Priority

Low

CVSS 3 base score: 6.7

Status

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9525
• http://www.openwall.com/lists/oss-security/2017/06/08/3
• http://bugs.debian.org/864466
• https://ubuntu.com/security/notices/USN-5259-1
• https://ubuntu.com/security/notices/USN-5259-2
• https://ubuntu.com/security/notices/USN-5259-3
• NVD
• Launchpad
• Debian

Bugs

• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864466
• https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895 (regression)
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892720 (regression)