Vulnerabilities > CVE-2018-1063 - Link Following vulnerability in multiple products

CVSS 4.4 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

local

low complexity

redhat

selinux-project

CWE-59

nessus

NVD

Published: 2018-03-02

Updated: 2023-11-07

Summary

Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing). The issue was found in policycoreutils 2.5-11.

Vulnerable Configurations

Part	Description	Count
OS	Redhat Redhat Enterprise Linux 7.0	1
Application	Selinux_Project Selinux Project Selinux -	1

Common Weakness Enumeration (CWE)

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Common Attack Pattern Enumeration and Classification (CAPEC)

Symlink Attack
An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have.
Accessing, Modifying or Executing Executable Files
An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
Manipulating Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Nessus

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2018-0913.NASL
description	An update for policycoreutils is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The policycoreutils packages contain the core policy utilities required to manage a SELinux environment. Security Fix(es) : * policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead (CVE-2018-1063) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Renaud Metrich (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	108991
published	2018-04-11
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/108991
title	RHEL 7 : policycoreutils (RHSA-2018:0913)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:0913. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(108991); script_version("1.8"); script_cvs_date("Date: 2019/10/24 15:35:44"); script_cve_id("CVE-2018-1063"); script_xref(name:"RHSA", value:"2018:0913"); script_name(english:"RHEL 7 : policycoreutils (RHSA-2018:0913)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for policycoreutils is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The policycoreutils packages contain the core policy utilities required to manage a SELinux environment. Security Fix(es) : * policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead (CVE-2018-1063) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Renaud Metrich (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section." ); # https://access.redhat.com/documentation/en-US/red_hat_enterprise_linux/7/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?dde41582" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:0913" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-1063" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-gui"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-newrole"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-restorecond"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:policycoreutils-sandbox"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/02"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:0913"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"policycoreutils-2.5-22.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"policycoreutils-2.5-22.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"policycoreutils-debuginfo-2.5-22.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"policycoreutils-devel-2.5-22.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"policycoreutils-gui-2.5-22.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"policycoreutils-gui-2.5-22.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"policycoreutils-newrole-2.5-22.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"policycoreutils-newrole-2.5-22.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"policycoreutils-python-2.5-22.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"policycoreutils-python-2.5-22.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"policycoreutils-restorecond-2.5-22.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"policycoreutils-restorecond-2.5-22.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"policycoreutils-sandbox-2.5-22.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"policycoreutils-sandbox-2.5-22.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "policycoreutils / policycoreutils-debuginfo / policycoreutils-devel / etc"); } }

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-0927-1.NASL
description	This update for policycoreutils fixes the following issues : - CVE-2018-1063: Prevent chcon from following symlinks in /tmp, /var/tmp, /var/run and /var/lib/debug (bsc#1083624). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	109015
published	2018-04-12
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109015
title	SUSE SLES11 Security Update : policycoreutils (SUSE-SU-2018:0927-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:0927-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(109015); script_version("1.4"); script_cvs_date("Date: 2019/09/10 13:51:47"); script_cve_id("CVE-2018-1063"); script_name(english:"SUSE SLES11 Security Update : policycoreutils (SUSE-SU-2018:0927-1)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for policycoreutils fixes the following issues : - CVE-2018-1063: Prevent chcon from following symlinks in /tmp, /var/tmp, /var/run and /var/lib/debug (bsc#1083624). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1083624" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1063/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20180927-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?371831ef" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 11-SP4:zypper in -t patch slessp4-policycoreutils-13556=1 SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch dbgsp4-policycoreutils-13556=1" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:policycoreutils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/02"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", reference:"policycoreutils-2.0.79-4.9.3.3")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "policycoreutils"); }

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2018-0913.NASL
description	From Red Hat Security Advisory 2018:0913 : An update for policycoreutils is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The policycoreutils packages contain the core policy utilities required to manage a SELinux environment. Security Fix(es) : * policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead (CVE-2018-1063) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Renaud Metrich (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	109110
published	2018-04-18
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109110
title	Oracle Linux 7 : policycoreutils (ELSA-2018-0913)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:0913 and # Oracle Linux Security Advisory ELSA-2018-0913 respectively. # include("compat.inc"); if (description) { script_id(109110); script_version("1.3"); script_cvs_date("Date: 2019/09/27 13:00:38"); script_cve_id("CVE-2018-1063"); script_xref(name:"RHSA", value:"2018:0913"); script_name(english:"Oracle Linux 7 : policycoreutils (ELSA-2018-0913)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2018:0913 : An update for policycoreutils is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The policycoreutils packages contain the core policy utilities required to manage a SELinux environment. Security Fix(es) : * policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead (CVE-2018-1063) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Renaud Metrich (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2018-April/007615.html" ); script_set_attribute( attribute:"solution", value:"Update the affected policycoreutils packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils-gui"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils-newrole"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils-restorecond"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:policycoreutils-sandbox"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/02"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| !pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-2.5-22.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-devel-2.5-22.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-gui-2.5-22.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-newrole-2.5-22.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-python-2.5-22.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-restorecond-2.5-22.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"policycoreutils-sandbox-2.5-22.el7")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "policycoreutils / policycoreutils-devel / policycoreutils-gui / etc"); }

NASL family	Amazon Linux Local Security Checks
NASL id	AL2_ALAS-2018-1076.NASL
description	Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing).(CVE-2018-1063)
last seen	2020-06-01
modified	2020-06-02
plugin id	117590
published	2018-09-19
reporter	This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/117590
title	Amazon Linux 2 : policycoreutils (ALAS-2018-1076)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux 2 Security Advisory ALAS-2018-1076. # include("compat.inc"); if (description) { script_id(117590); script_version("1.1"); script_cvs_date("Date: 2018/09/19 10:04:09"); script_cve_id("CVE-2018-1063"); script_xref(name:"ALAS", value:"2018-1076"); script_name(english:"Amazon Linux 2 : policycoreutils (ALAS-2018-1076)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux 2 host is missing a security update." ); script_set_attribute( attribute:"description", value: "Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing).(CVE-2018-1063)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2018-1076.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update policycoreutils' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-gui"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-newrole"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-restorecond"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:policycoreutils-sandbox"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2"); script_set_attribute(attribute:"patch_publication_date", value:"2018/09/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) \|\| !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A\|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "2") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"AL2", reference:"policycoreutils-2.5-22.amzn2")) flag++; if (rpm_check(release:"AL2", reference:"policycoreutils-debuginfo-2.5-22.amzn2")) flag++; if (rpm_check(release:"AL2", reference:"policycoreutils-devel-2.5-22.amzn2")) flag++; if (rpm_check(release:"AL2", reference:"policycoreutils-gui-2.5-22.amzn2")) flag++; if (rpm_check(release:"AL2", reference:"policycoreutils-newrole-2.5-22.amzn2")) flag++; if (rpm_check(release:"AL2", reference:"policycoreutils-python-2.5-22.amzn2")) flag++; if (rpm_check(release:"AL2", reference:"policycoreutils-restorecond-2.5-22.amzn2")) flag++; if (rpm_check(release:"AL2", reference:"policycoreutils-sandbox-2.5-22.amzn2")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "policycoreutils / policycoreutils-debuginfo / policycoreutils-devel / etc"); }

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-2400.NASL
description	According to the version of the policycoreutils packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing). The issue was found in policycoreutils 2.5-11.(CVE-2018-1063) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-08
modified	2019-12-10
plugin id	131892
published	2019-12-10
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131892
title	EulerOS 2.0 SP2 : policycoreutils (EulerOS-SA-2019-2400)

NASL family	NewStart CGSL Local Security Checks
NASL id	NEWSTART_CGSL_NS-SA-2019-0030_POLICYCOREUTILS.NASL
description	The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has policycoreutils packages installed that are affected by a vulnerability: - Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing). (CVE-2018-1063) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	127195
published	2019-08-12
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127195
title	NewStart CGSL CORE 5.04 / MAIN 5.04 : policycoreutils Vulnerability (NS-SA-2019-0030)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2020-1423.NASL
description	According to the version of the policycoreutils packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing). The issue was found in policycoreutils 2.5-11.(CVE-2018-1063) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2020-04-15
plugin id	135552
published	2020-04-15
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135552
title	EulerOS 2.0 SP3 : policycoreutils (EulerOS-SA-2020-1423)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-0926-1.NASL
description	This update for policycoreutils fixes the following issues : - CVE-2018-1063: Fixed problem to prevent chcon from following symlinks in /tmp, /var/tmp, /var/run and /var/lib/debug (bsc#1083624). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	109014
published	2018-04-12
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109014
title	SUSE SLES12 Security Update : policycoreutils (SUSE-SU-2018:0926-1)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20180410_POLICYCOREUTILS_ON_SL7_X.NASL
description	Security Fix(es) : - policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead (CVE-2018-1063) This issue was discovered by Renaud Mtrich (Red Hat). Additional Changes :
last seen	2020-03-18
modified	2018-05-01
plugin id	109457
published	2018-05-01
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109457
title	Scientific Linux Security Update : policycoreutils on SL7.x x86_64 (20180410)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2018-0913.NASL
description	An update for policycoreutils is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The policycoreutils packages contain the core policy utilities required to manage a SELinux environment. Security Fix(es) : * policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead (CVE-2018-1063) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Renaud Metrich (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	109377
published	2018-04-27
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109377
title	CentOS 7 : policycoreutils (CESA-2018:0913)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2018-362.NASL
description	This update for policycoreutils fixes the following issues : - CVE-2018-1063: Fixed problem to prevent chcon from following symlinks in /tmp, /var/tmp, /var/run and /var/lib/debug (bsc#1083624). This update was imported from the SUSE:SLE-12-SP2:Update update project.
last seen	2020-06-05
modified	2018-04-13
plugin id	109023
published	2018-04-13
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109023
title	openSUSE Security Update : policycoreutils (openSUSE-2018-362)

Redhat

advisories

bugzilla

id	1550122
title	CVE-2018-1063 policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND
comment policycoreutils is earlier than 0:2.5-22.el7
oval oval:com.redhat.rhsa:tst:20180913001
comment policycoreutils is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110414020

AND

comment policycoreutils-sandbox is earlier than 0:2.5-22.el7
oval oval:com.redhat.rhsa:tst:20180913003
comment policycoreutils-sandbox is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110414014

AND

comment policycoreutils-devel is earlier than 0:2.5-22.el7
oval oval:com.redhat.rhsa:tst:20180913005
comment policycoreutils-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20162702016

AND

comment policycoreutils-gui is earlier than 0:2.5-22.el7
oval oval:com.redhat.rhsa:tst:20180913007
comment policycoreutils-gui is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110414012

AND

comment policycoreutils-restorecond is earlier than 0:2.5-22.el7
oval oval:com.redhat.rhsa:tst:20180913009
comment policycoreutils-restorecond is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20162702013

AND

comment policycoreutils-newrole is earlier than 0:2.5-22.el7
oval oval:com.redhat.rhsa:tst:20180913011
comment policycoreutils-newrole is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110414016

AND

comment policycoreutils-python is earlier than 0:2.5-22.el7
oval oval:com.redhat.rhsa:tst:20180913013
comment policycoreutils-python is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110414018

rhsa

id	RHSA-2018:0913
released	2018-04-10
severity	Low
title	RHSA-2018:0913: policycoreutils security, bug fix, and enhancement update (Low)

rpms

policycoreutils-0:2.5-22.el7
policycoreutils-debuginfo-0:2.5-22.el7
policycoreutils-devel-0:2.5-22.el7
policycoreutils-gui-0:2.5-22.el7
policycoreutils-newrole-0:2.5-22.el7
policycoreutils-python-0:2.5-22.el7
policycoreutils-restorecond-0:2.5-22.el7
policycoreutils-sandbox-0:2.5-22.el7

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Redhat

References