CVE-2018-13405

high-risk

Published 2018-07-06

The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.

Do I need to act?

0.17% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

45033

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.8/10 High

LOCAL / LOW complexity

Affected Products (20)

Ubuntu Linux

Fedora

Mrg Realtime

Virtualization

Enterprise Linux Aus

Enterprise Linux Desktop

Enterprise Linux Eus

Enterprise Linux For Real Time

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Tus

Affected Vendors

Debian Redhat Linux F5 Canonical Fedoraproject

References (56)

Patch http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ec...

Mailing List http://openwall.com/lists/oss-security/2018/07/13/2

Broken Link http://www.securityfocus.com/bid/106503

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:2948

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3083

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3096

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:0717

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2476

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2566

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2696

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2730

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:4159

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:4164

Mailing List https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=0b3369840...

Patch https://github.com/torvalds/linux/commit/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c...

Third Party Advisory https://lists.debian.org/debian-lts-announce/2018/08/msg00014.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://support.f5.com/csp/article/K00854051

Third Party Advisory https://twitter.com/grsecurity/status/1015082951204327425

and 36 more references

/ 100

high-risk

Severity 24/34 · High

Exploitability 8/34 · Low

Exposure 27/34 · High