Vulnerabilities > CVE-2018-1063

047910
CVSS 4.4 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
LOW
Integrity impact
LOW
Availability impact
NONE
local
low complexity
redhat
selinux-project
nessus

Summary

Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing). The issue was found in policycoreutils 2.5-11.

Vulnerable Configurations

Part Description Count
OS
Redhat
1
Application
Selinux_Project
1

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0913.NASL
    descriptionAn update for policycoreutils is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The policycoreutils packages contain the core policy utilities required to manage a SELinux environment. Security Fix(es) : * policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead (CVE-2018-1063) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Renaud Metrich (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id108991
    published2018-04-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108991
    titleRHEL 7 : policycoreutils (RHSA-2018:0913)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:0913. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108991);
      script_version("1.8");
      script_cvs_date("Date: 2019/10/24 15:35:44");
    
      script_cve_id("CVE-2018-1063");
      script_xref(name:"RHSA", value:"2018:0913");
    
      script_name(english:"RHEL 7 : policycoreutils (RHSA-2018:0913)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for policycoreutils is now available for Red Hat Enterprise
    Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Low. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link (s) in the References section.
    
    The policycoreutils packages contain the core policy utilities
    required to manage a SELinux environment.
    
    Security Fix(es) :
    
    * policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp
    change the context of their target instead (CVE-2018-1063)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    This issue was discovered by Renaud Metrich (Red Hat).
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.5 Release Notes linked from the References section."
      );
      # https://access.redhat.com/documentation/en-US/red_hat_enterprise_linux/7/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?dde41582"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:0913"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1063"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-gui");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-newrole");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-restorecond");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-sandbox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:0913";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_NOTE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"policycoreutils-2.5-22.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"policycoreutils-2.5-22.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"policycoreutils-debuginfo-2.5-22.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"policycoreutils-devel-2.5-22.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"policycoreutils-gui-2.5-22.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"policycoreutils-gui-2.5-22.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"policycoreutils-newrole-2.5-22.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"policycoreutils-newrole-2.5-22.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"policycoreutils-python-2.5-22.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"policycoreutils-python-2.5-22.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"policycoreutils-restorecond-2.5-22.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"policycoreutils-restorecond-2.5-22.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"policycoreutils-sandbox-2.5-22.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"policycoreutils-sandbox-2.5-22.el7")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_NOTE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "policycoreutils / policycoreutils-debuginfo / policycoreutils-devel / etc");
      }
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0927-1.NASL
    descriptionThis update for policycoreutils fixes the following issues : - CVE-2018-1063: Prevent chcon from following symlinks in /tmp, /var/tmp, /var/run and /var/lib/debug (bsc#1083624). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id109015
    published2018-04-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109015
    titleSUSE SLES11 Security Update : policycoreutils (SUSE-SU-2018:0927-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:0927-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109015);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/10 13:51:47");
    
      script_cve_id("CVE-2018-1063");
    
      script_name(english:"SUSE SLES11 Security Update : policycoreutils (SUSE-SU-2018:0927-1)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for policycoreutils fixes the following issues :
    
      - CVE-2018-1063: Prevent chcon from following symlinks in
        /tmp, /var/tmp, /var/run and /var/lib/debug
        (bsc#1083624).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083624"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1063/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20180927-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?371831ef"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
    slessp4-policycoreutils-13556=1
    
    SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
    dbgsp4-policycoreutils-13556=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:policycoreutils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"4", reference:"policycoreutils-2.0.79-4.9.3.3")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
      else security_note(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "policycoreutils");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-0913.NASL
    descriptionFrom Red Hat Security Advisory 2018:0913 : An update for policycoreutils is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The policycoreutils packages contain the core policy utilities required to manage a SELinux environment. Security Fix(es) : * policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead (CVE-2018-1063) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Renaud Metrich (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109110
    published2018-04-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109110
    titleOracle Linux 7 : policycoreutils (ELSA-2018-0913)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2018:0913 and 
    # Oracle Linux Security Advisory ELSA-2018-0913 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109110);
      script_version("1.3");
      script_cvs_date("Date: 2019/09/27 13:00:38");
    
      script_cve_id("CVE-2018-1063");
      script_xref(name:"RHSA", value:"2018:0913");
    
      script_name(english:"Oracle Linux 7 : policycoreutils (ELSA-2018-0913)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2018:0913 :
    
    An update for policycoreutils is now available for Red Hat Enterprise
    Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Low. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link (s) in the References section.
    
    The policycoreutils packages contain the core policy utilities
    required to manage a SELinux environment.
    
    Security Fix(es) :
    
    * policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp
    change the context of their target instead (CVE-2018-1063)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    This issue was discovered by Renaud Metrich (Red Hat).
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.5 Release Notes linked from the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2018-April/007615.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected policycoreutils packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils-gui");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils-newrole");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils-restorecond");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils-sandbox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/18");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-2.5-22.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-devel-2.5-22.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-gui-2.5-22.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-newrole-2.5-22.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-python-2.5-22.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-restorecond-2.5-22.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-sandbox-2.5-22.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
      else security_note(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "policycoreutils / policycoreutils-devel / policycoreutils-gui / etc");
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-1076.NASL
    descriptionContext relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing).(CVE-2018-1063)
    last seen2020-06-01
    modified2020-06-02
    plugin id117590
    published2018-09-19
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117590
    titleAmazon Linux 2 : policycoreutils (ALAS-2018-1076)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux 2 Security Advisory ALAS-2018-1076.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(117590);
      script_version("1.1");
      script_cvs_date("Date: 2018/09/19 10:04:09");
    
      script_cve_id("CVE-2018-1063");
      script_xref(name:"ALAS", value:"2018-1076");
    
      script_name(english:"Amazon Linux 2 : policycoreutils (ALAS-2018-1076)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux 2 host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Context relabeling of filesystems is vulnerable to symbolic link
    attack, allowing a local, unprivileged malicious entity to change the
    SELinux context of an arbitrary file to a context with few
    restrictions. This only happens when the relabeling process is done,
    usually when taking SELinux state from disabled to enable (permissive
    or enforcing).(CVE-2018-1063)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/AL2/ALAS-2018-1076.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update policycoreutils' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-gui");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-newrole");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-restorecond");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-sandbox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/09/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/19");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "2")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"AL2", reference:"policycoreutils-2.5-22.amzn2")) flag++;
    if (rpm_check(release:"AL2", reference:"policycoreutils-debuginfo-2.5-22.amzn2")) flag++;
    if (rpm_check(release:"AL2", reference:"policycoreutils-devel-2.5-22.amzn2")) flag++;
    if (rpm_check(release:"AL2", reference:"policycoreutils-gui-2.5-22.amzn2")) flag++;
    if (rpm_check(release:"AL2", reference:"policycoreutils-newrole-2.5-22.amzn2")) flag++;
    if (rpm_check(release:"AL2", reference:"policycoreutils-python-2.5-22.amzn2")) flag++;
    if (rpm_check(release:"AL2", reference:"policycoreutils-restorecond-2.5-22.amzn2")) flag++;
    if (rpm_check(release:"AL2", reference:"policycoreutils-sandbox-2.5-22.amzn2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
      else security_note(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "policycoreutils / policycoreutils-debuginfo / policycoreutils-devel / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2400.NASL
    descriptionAccording to the version of the policycoreutils packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing). The issue was found in policycoreutils 2.5-11.(CVE-2018-1063) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-12-10
    plugin id131892
    published2019-12-10
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131892
    titleEulerOS 2.0 SP2 : policycoreutils (EulerOS-SA-2019-2400)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0030_POLICYCOREUTILS.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has policycoreutils packages installed that are affected by a vulnerability: - Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing). (CVE-2018-1063) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127195
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127195
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : policycoreutils Vulnerability (NS-SA-2019-0030)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1423.NASL
    descriptionAccording to the version of the policycoreutils packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing). The issue was found in policycoreutils 2.5-11.(CVE-2018-1063) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2020-04-15
    plugin id135552
    published2020-04-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135552
    titleEulerOS 2.0 SP3 : policycoreutils (EulerOS-SA-2020-1423)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0926-1.NASL
    descriptionThis update for policycoreutils fixes the following issues : - CVE-2018-1063: Fixed problem to prevent chcon from following symlinks in /tmp, /var/tmp, /var/run and /var/lib/debug (bsc#1083624). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id109014
    published2018-04-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109014
    titleSUSE SLES12 Security Update : policycoreutils (SUSE-SU-2018:0926-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180410_POLICYCOREUTILS_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead (CVE-2018-1063) This issue was discovered by Renaud Mtrich (Red Hat). Additional Changes :
    last seen2020-03-18
    modified2018-05-01
    plugin id109457
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109457
    titleScientific Linux Security Update : policycoreutils on SL7.x x86_64 (20180410)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-0913.NASL
    descriptionAn update for policycoreutils is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The policycoreutils packages contain the core policy utilities required to manage a SELinux environment. Security Fix(es) : * policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead (CVE-2018-1063) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Renaud Metrich (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109377
    published2018-04-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109377
    titleCentOS 7 : policycoreutils (CESA-2018:0913)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-362.NASL
    descriptionThis update for policycoreutils fixes the following issues : - CVE-2018-1063: Fixed problem to prevent chcon from following symlinks in /tmp, /var/tmp, /var/run and /var/lib/debug (bsc#1083624). This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2018-04-13
    plugin id109023
    published2018-04-13
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109023
    titleopenSUSE Security Update : policycoreutils (openSUSE-2018-362)

Redhat

advisories
bugzilla
id1550122
titleCVE-2018-1063 policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentpolicycoreutils is earlier than 0:2.5-22.el7
          ovaloval:com.redhat.rhsa:tst:20180913001
        • commentpolicycoreutils is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110414020
      • AND
        • commentpolicycoreutils-sandbox is earlier than 0:2.5-22.el7
          ovaloval:com.redhat.rhsa:tst:20180913003
        • commentpolicycoreutils-sandbox is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110414014
      • AND
        • commentpolicycoreutils-devel is earlier than 0:2.5-22.el7
          ovaloval:com.redhat.rhsa:tst:20180913005
        • commentpolicycoreutils-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20162702016
      • AND
        • commentpolicycoreutils-gui is earlier than 0:2.5-22.el7
          ovaloval:com.redhat.rhsa:tst:20180913007
        • commentpolicycoreutils-gui is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110414012
      • AND
        • commentpolicycoreutils-restorecond is earlier than 0:2.5-22.el7
          ovaloval:com.redhat.rhsa:tst:20180913009
        • commentpolicycoreutils-restorecond is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20162702013
      • AND
        • commentpolicycoreutils-newrole is earlier than 0:2.5-22.el7
          ovaloval:com.redhat.rhsa:tst:20180913011
        • commentpolicycoreutils-newrole is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110414016
      • AND
        • commentpolicycoreutils-python is earlier than 0:2.5-22.el7
          ovaloval:com.redhat.rhsa:tst:20180913013
        • commentpolicycoreutils-python is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110414018
rhsa
idRHSA-2018:0913
released2018-04-10
severityLow
titleRHSA-2018:0913: policycoreutils security, bug fix, and enhancement update (Low)
rpms
  • policycoreutils-0:2.5-22.el7
  • policycoreutils-debuginfo-0:2.5-22.el7
  • policycoreutils-devel-0:2.5-22.el7
  • policycoreutils-gui-0:2.5-22.el7
  • policycoreutils-newrole-0:2.5-22.el7
  • policycoreutils-python-0:2.5-22.el7
  • policycoreutils-restorecond-0:2.5-22.el7
  • policycoreutils-sandbox-0:2.5-22.el7