Vulnerabilities > CVE-2006-2607 - Local Privilege Escalation vulnerability in Paul Vixie Cron 4.1

CVSS 7.2 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

low complexity

paul-vixie

nessus

NVD

Published: 2006-05-25

Updated: 2018-10-18

Summary

do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf.

Vulnerable Configurations

Part	Description	Count
Application	Paul_Vixie Paul Vixie Vixie Cron 4.1	1

Nessus

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2006-0539.NASL
description	Updated vixie-cron packages that fix a privilege escalation issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. A privilege escalation flaw was found in the way Vixie Cron runs programs; vixie-cron does not properly verify an attempt to set the current process user id succeeded. It was possible for a malicious local users who exhausted certain limits to execute arbitrary commands as root via cron. (CVE-2006-2607) All users of vixie-cron should upgrade to these updated packages, which contain a backported patch to correct this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	22043
published	2006-07-13
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/22043
title	RHEL 4 : vixie-cron (RHSA-2006:0539)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200606-07.NASL
description	The remote host is affected by the vulnerability described in GLSA-200606-07 (Vixie Cron: Privilege Escalation) Roman Veretelnikov discovered that Vixie Cron fails to properly check whether it can drop privileges accordingly if setuid() in do_command.c fails due to a user exceeding assigned resource limits. Impact : Local users can execute code with root privileges by deliberately exceeding their assigned resource limits and then starting a command through Vixie Cron. This requires resource limits to be in place on the machine. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	21680
published	2006-06-11
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/21680
title	GLSA-200606-07 : Vixie Cron: Privilege Escalation

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-778-1.NASL
description	It was discovered that cron did not properly check the return code of the setgid() and initgroups() system calls. A local attacker could use this to escalate group privileges. Please note that cron versions 3.0pl1-64 and later were already patched to address the more serious setuid() check referred to by CVE-2006-2607. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	38984
published	2009-06-02
reporter	Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/38984
title	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : cron vulnerability (USN-778-1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SA_2006_027.NASL
description	The remote host is missing the patch for the advisory SUSE-SA:2006:027 (cron). Vixie Cron is the default CRON daemon in all SUSE Linux based distributions. The code in do_command.c in Vixie cron does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits. This problem is known to affect only distributions with Linux 2.6 kernels, but the package was updated for all distributions for completeness. This problem is tracked by the Mitre CVE ID CVE-2006-2607.
last seen	2019-10-28
modified	2006-06-01
plugin id	21623
published	2006-06-01
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/21623
title	SUSE-SA:2006:027: cron

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2006-0539.NASL
description	Updated vixie-cron packages that fix a privilege escalation issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. A privilege escalation flaw was found in the way Vixie Cron runs programs; vixie-cron does not properly verify an attempt to set the current process user id succeeded. It was possible for a malicious local users who exhausted certain limits to execute arbitrary commands as root via cron. (CVE-2006-2607) All users of vixie-cron should upgrade to these updated packages, which contain a backported patch to correct this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	22036
published	2006-07-13
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/22036
title	CentOS 4 : vixie-cron (CESA-2006:0539)

NASL family	SuSE Local Security Checks
NASL id	SUSE_CRON-1440.NASL
description	A missing check on the return value of setuid() in vixie-cron could be used by a local user to gain root privileges by exhausting resource limits and waiting for a cronjob to trigger. This is tracked by the Mitre CVE ID CVE-2006-2607.
last seen	2020-06-01
modified	2020-06-02
plugin id	27189
published	2007-10-17
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/27189
title	openSUSE 10 Security Update : cron (cron-1440)

Oval

accepted

2013-04-29T04:03:35.897-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990

description

family

unix

oval:org.mitre.oval:def:10213

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

Redhat

advisories

bugzilla

id	193146
title	CVE-2006-2607 Jobs start from root when pam_limits enabled

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025
comment vixie-cron is earlier than 4:4.1-44.EL4
oval oval:com.redhat.rhsa:tst:20060539001
comment vixie-cron is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060539002

rhsa

id	RHSA-2006:0539
released	2006-07-12
severity	Important
title	RHSA-2006:0539: vixie-cron security update (Important)

rpms

vixie-cron-4:4.1-44.EL4
vixie-cron-debuginfo-4:4.1-44.EL4

Statements

contributor	Mark J Cox
lastmodified	2007-03-14
organization	Red Hat
statement	Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Summary

Vulnerable Configurations

Nessus

Oval

Redhat

Statements

References