Описание
In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
A flaw was found in Shadow, where it is possible to inject control characters into fields provided to the SUID program change finger(chfn). Although it is not possible to exploit this directly (for example, adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Using \r manipulations and Unicode characters to work around blocking the : character makes it possible to give the impression that a new user has been added. An adversary can convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
Отчет
The chfn library is provided in Red Hat Enterprise Linux 7, 8, and 9 by util-linux package, and not by shadow-utils. Hence, the shadow-utils package is not vulnerable by this CVE.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | shadow-utils | Not affected | ||
| Red Hat Enterprise Linux 7 | shadow-utils | Not affected | ||
| Red Hat Enterprise Linux 7 | util-linux | Not affected | ||
| Red Hat Enterprise Linux 8 | shadow-utils | Not affected | ||
| Red Hat Enterprise Linux 8 | util-linux | Not affected | ||
| Red Hat Enterprise Linux 9 | shadow-utils | Not affected | ||
| Red Hat Enterprise Linux 9 | util-linux | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
5.5 Medium
CVSS3
Связанные уязвимости
In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
In Shadow 4.13 it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g. adding a new user fails because \n is in the block list) it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words an adversary may be able to convince a system administrator to take the system offline (an indirect social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
In Shadow 4.13, it is possible to inject control characters into field ...
5.5 Medium
CVSS3