Vulnerabilities > CVE-2017-6590 - Incorrect Authorization vulnerability in Canonical Ubuntu Linux

047910
CVSS 6.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
canonical
CWE-863
nessus
NVD
Published: 2017-03-09
Updated: 2019-10-03

Summary

An issue was discovered in network-manager-applet (aka network-manager-gnome) in Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS, and 16.10. A local attacker could use this issue at the default Ubuntu login screen to access local files and execute arbitrary commands as the lightdm user. The exploitation requires physical access to the locked computer and the Wi-Fi must be turned on. An access point that lets you use a certificate to login is required as well, but it's easy to create one. Then, it's possible to open a nautilus window and browse directories. One also can open some applications such as Firefox, which is useful for downloading malicious binaries.

Vulnerable Configurations

Part Description Count
OS
Canonical
4

Common Weakness Enumeration (CWE)

Nessus

NASL familyGentoo Local Security Checks
NASL idGENTOO_GLSA-201707-09.NASL
descriptionThe remote host is affected by the vulnerability described in GLSA-201707-09 (GNOME applet for NetworkManager: Arbitrary file read/write) Frederic Bardy and Quentin Biguenet discovered that GNOME applet for NetworkManager incorrectly checked permissions when connecting to certain wireless networks. Impact : A local attacker could bypass security restrictions at the login screen to access local files. Workaround : There is no known workaround at this time.
last seen2020-06-01
modified2020-06-02
plugin id101340
published2017-07-10
reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/101340
titleGLSA-201707-09 : GNOME applet for NetworkManager: Arbitrary file read/write
code
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201707-09.
#
# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(101340);
  script_version("$Revision: 3.2 $");
  script_cvs_date("$Date: 2018/01/26 17:15:57 $");

  script_cve_id("CVE-2017-6590");
  script_xref(name:"GLSA", value:"201707-09");

  script_name(english:"GLSA-201707-09 : GNOME applet for NetworkManager: Arbitrary file read/write");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201707-09
(GNOME applet for NetworkManager: Arbitrary file read/write)

    Frederic Bardy and Quentin Biguenet discovered that GNOME applet for
      NetworkManager incorrectly checked permissions when connecting to certain
      wireless networks.
  
Impact :

    A local attacker could bypass security restrictions at the login screen
      to access local files.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201707-09"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All GNOME applet for NetworkManager users should upgrade to the latest
      version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=gnome-extra/nm-applet-1.4.6-r1'"
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:nm-applet");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/07/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/10");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"gnome-extra/nm-applet", unaffected:make_list("ge 1.4.6-r1"), vulnerable:make_list("lt 1.4.6-r1"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "GNOME applet for NetworkManager");
}

References