CVE-2017-9525

Published: 9 June 2017

In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs.

Priority

Low

CVSS 3 base score: 6.7

Status

Notes

This appears to be mitigated by kernel symlink restrictions. The
crontabs dir has the sticky bit set
drwx-wx--T root crontab crontabs
which means symlinks within the dir must have the same uid as the
target.
It is still possible that a cron package update could trigger this race.

I believe that actually _exploiting_ the bug requires
updating the cron package. So long as there's no updates for cron,
the vulnerable code doesn't run. So if we find a second bug in
cron then we really should fix the race condition at the same
time, but so long as we don't push a cron update, the vulnerable
code just plain doesn't run.
the patch just narrows the time window for the race condition.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9525
• http://www.openwall.com/lists/oss-security/2017/06/08/3
• http://bugs.debian.org/864466
• https://ubuntu.com/security/notices/USN-5259-1
• https://ubuntu.com/security/notices/USN-5259-2
• https://ubuntu.com/security/notices/USN-5259-3
• NVD
• Launchpad
• Debian

Bugs

• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864466
• https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895 (regression)
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892720 (regression)