Vulnerabilities > CVE-2017-16997 - Untrusted Search Path vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
gnu
redhat
CWE-426
nessus
NVD
Published: 2017-12-18
Updated: 2020-10-15

Summary

elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.

Vulnerable Configurations

Part Description Count
Application
Gnu
7
OS
Redhat
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging/Manipulating Configuration File Search Paths
    This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1257.NASL
    descriptionAccording to the version of the glibc packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the
    last seen2020-03-19
    modified2019-04-04
    plugin id123725
    published2019-04-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123725
    titleEulerOS Virtualization 2.5.3 : glibc (EulerOS-SA-2019-1257)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-7714B514E2.NASL
    descriptionThis update addresses two security vulnerabilities : - CVE-2017-16997: Check for empty tokens before dynamic string token expansion in the dynamic linker, so that pre-existing privileged programs with `$ORIGIN` rpaths/runpaths do not cause the dynamic linker to search the current directory, potentially leading to privilege escalation. (RHBZ#1526866). - CVE-2018-1000001: `getcwd` would sometimes return a non-absolute path, confusing the `realpath` function, leading to privilege escalation in conjunction with user namespaces. (RHBZ#1533837) In addition, this update changes the thread stack size accounting to provide additional stack space compared to previous glibc versions. For some applications (`nptd` in particular), the `PTHREAD_STACK_MIN` stack size was too small on x86-64 machines with AVX-512 support (RHBZ#1527887). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-24
    plugin id106279
    published2018-01-24
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106279
    titleFedora 27 : glibc (2018-7714b514e2)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0011-A_GLIBC.NASL
    descriptionAn update of the glibc package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121907
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121907
    titlePhoton OS 2.0: Glibc PHSA-2018-2.0-0011-(a)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0011-A.NASL
    descriptionAn update of {'ruby', 'glibc'} packages of Photon OS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111281
    published2018-07-24
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111281
    titlePhoton OS 2.0 : ruby / glibc (PhotonOS-PHSA-2018-2.0-0011-(a)) (deprecated)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0098-A_GLIBC.NASL
    descriptionAn update of the glibc package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121798
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121798
    titlePhoton OS 1.0: Glibc PHSA-2018-1.0-0098-(a)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-30.NASL
    descriptionThis update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2018-01-16
    plugin id106059
    published2018-01-16
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106059
    titleopenSUSE Security Update : glibc (openSUSE-2018-30)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0098-A.NASL
    descriptionAn update of 'ruby', 'glibc' packages of Photon OS has been released.
    last seen2019-02-08
    modified2019-02-07
    plugin id111910
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111910
    titlePhoton OS 1.0: Glibc / Ruby PHSA-2018-1.0-0098-(a) (deprecated)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-8E27AD96ED.NASL
    descriptionThis update addresses two security vulnerabilities : - CVE-2017-15670, CVE-2017-15671, CVE-2017-15804: Various vulnerabilities could lead to memory corruption in the `glob` and `glob64` function. (RHBZ#1505298, RHBZ##1504807) - CVE-2017-16997: Check for empty tokens before dynamic string token expansion in the dynamic linker, so that pre-existing privileged programs with `$ORIGIN` rpaths/runpaths do not cause the dynamic linker to search the current directory, potentially leading to privilege escalation. (RHBZ#1526866). - CVE-2018-1000001: `getcwd` would sometimes return a non-absolute path, confusing the `realpath` function, leading to privilege escalation in conjunction with user namespaces. (RHBZ#1533837) In addition, this update replaces the dynamic linker trampoline on x86-64 with a version which uses the `XSAVE` instruction if it is available. This improves compatibility with future hardware and compilers which do not follow the x86-64 ABI. This update also adjusts the thread stack size accounting to provide additional stack space compared to previous glibc versions (to avoid introducing RHBZ#1527887). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-24
    plugin id106281
    published2018-01-24
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106281
    titleFedora 26 : glibc (2018-8e27ad96ed)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201804-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201804-02 (glibc: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in glibc. Please review the CVE identifiers referenced below for details. Impact : An attacker could possibly execute arbitrary code, escalate privileges, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id108822
    published2018-04-04
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108822
    titleGLSA-201804-02 : glibc: Multiple vulnerabilities
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1371.NASL
    descriptionAccording to the version of the glibc packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the
    last seen2020-03-19
    modified2019-05-10
    plugin id124749
    published2019-05-10
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124749
    titleEulerOS Virtualization 2.5.4 : glibc (EulerOS-SA-2019-1371)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1667.NASL
    descriptionAccording to the versions of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the
    last seen2020-05-06
    modified2019-06-27
    plugin id126294
    published2019-06-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126294
    titleEulerOS 2.0 SP5 : glibc (EulerOS-SA-2019-1667)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-3092.NASL
    descriptionAn update for glibc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es) : * glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries (CVE-2017-16997) * glibc: Integer overflow in posix_memalign in memalign functions (CVE-2018-6485) * glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow (CVE-2018-11236) * glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper (CVE-2018-11237) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118992
    published2018-11-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118992
    titleCentOS 7 : glibc (CESA-2018:3092)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1386.NASL
    descriptionAccording to the versions of the glibc packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.(CVE-2018-11236) - An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.(CVE-2018-11237) - elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the
    last seen2020-06-01
    modified2020-06-02
    plugin id124889
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124889
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : glibc (EulerOS-SA-2019-1386)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0040_GLIBC.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has glibc packages installed that are affected by multiple vulnerabilities: - An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption. (CVE-2018-6485) - elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the ./ directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution. (CVE-2017-16997) - A buffer overflow has been discovered in the GNU C Library (aka glibc or libc6) in the __mempcpy_avx512_no_vzeroupper function when particular conditions are met. An attacker could use this vulnerability to cause a denial of service or potentially execute code. (CVE-2018-11237) - stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. (CVE-2018-11236) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127214
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127214
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : glibc Multiple Vulnerabilities (NS-SA-2019-0040)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0074-1.NASL
    descriptionThis update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106044
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106044
    titleSUSE SLED12 / SLES12 Security Update : glibc (SUSE-SU-2018:0074-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3092.NASL
    descriptionAn update for glibc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es) : * glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries (CVE-2017-16997) * glibc: Integer overflow in posix_memalign in memalign functions (CVE-2018-6485) * glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow (CVE-2018-11236) * glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper (CVE-2018-11237) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118527
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118527
    titleRHEL 7 : glibc (RHSA-2018:3092)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3534-1.NASL
    descriptionIt was discovered that the GNU C library did not properly handle all of the possible return values from the kernel getcwd(2) syscall. A local attacker could potentially exploit this to execute arbitrary code in setuid programs and gain administrative privileges. (CVE-2018-1000001) A memory leak was discovered in the _dl_init_paths() function in the GNU C library dynamic loader. A local attacker could potentially exploit this with a specially crafted value in the LD_HWCAP_MASK environment variable, in combination with CVE-2017-1000409 and another vulnerability on a system with hardlink protections disabled, in order to gain administrative privileges. (CVE-2017-1000408) A heap-based buffer overflow was discovered in the _dl_init_paths() function in the GNU C library dynamic loader. A local attacker could potentially exploit this with a specially crafted value in the LD_LIBRARY_PATH environment variable, in combination with CVE-2017-1000408 and another vulnerability on a system with hardlink protections disabled, in order to gain administrative privileges. (CVE-2017-1000409) An off-by-one error leading to a heap-based buffer overflow was discovered in the GNU C library glob() implementation. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code via a maliciously crafted pattern. (CVE-2017-15670) A heap-based buffer overflow was discovered during unescaping of user names with the ~ operator in the GNU C library glob() implementation. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code via a maliciously crafted pattern. (CVE-2017-15804) It was discovered that the GNU C library dynamic loader mishandles RPATH and RUNPATH containing $ORIGIN for privileged (setuid or AT_SECURE) programs. A local attacker could potentially exploit this by providing a specially crafted library in the current working directory in order to gain administrative privileges. (CVE-2017-16997) It was discovered that the GNU C library malloc() implementation could return a memory block that is too small if an attempt is made to allocate an object whose size is close to SIZE_MAX, resulting in a heap-based overflow. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 17.10. (CVE-2017-17426). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106134
    published2018-01-18
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106134
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.10 : eglibc, glibc vulnerabilities (USN-3534-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20181030_GLIBC_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries (CVE-2017-16997) - glibc: Integer overflow in posix_memalign in memalign functions (CVE-2018-6485) - glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow (CVE-2018-11236) - glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper (CVE-2018-11237)
    last seen2020-03-18
    modified2018-11-27
    plugin id119182
    published2018-11-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119182
    titleScientific Linux Security Update : glibc on SL7.x x86_64 (20181030)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-1109.NASL
    descriptionA buffer overflow has been discovered in the GNU C Library (aka glibc or libc6) in the __mempcpy_avx512_no_vzeroupper function when particular conditions are met. An attacker could use this vulnerability to cause a denial of service or potentially execute code.(CVE-2018-11237) elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the
    last seen2020-06-10
    modified2018-12-07
    plugin id119468
    published2018-12-07
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119468
    titleAmazon Linux AMI : glibc (ALAS-2018-1109)

Redhat

advisories
  • rhsa
    idRHBA-2019:0327
  • rhsa
    idRHSA-2018:3092
rpms
  • glibc-0:2.17-260.el7
  • glibc-common-0:2.17-260.el7
  • glibc-debuginfo-0:2.17-260.el7
  • glibc-debuginfo-common-0:2.17-260.el7
  • glibc-devel-0:2.17-260.el7
  • glibc-headers-0:2.17-260.el7
  • glibc-static-0:2.17-260.el7
  • glibc-utils-0:2.17-260.el7
  • nscd-0:2.17-260.el7

References