Vulnerabilities > CVE-2018-18955 - Incorrect Authorization vulnerability in multiple products

047910
CVSS 7.0 - HIGH
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
high complexity
linux
canonical
CWE-863
nessus
exploit available
metasploit

Summary

In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.

Vulnerable Configurations

Part Description Count
OS
Linux
126
OS
Canonical
3

Common Weakness Enumeration (CWE)

Exploit-Db

  • idEDB-ID:47166
    last seen2019-07-26
    modified2018-11-21
    published2018-11-21
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/47166
    titleLinux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (ldpreload Method)
  • idEDB-ID:47167
    last seen2019-07-26
    modified2019-01-04
    published2019-01-04
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/47167
    titleLinux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method)
  • idEDB-ID:47164
    last seen2019-07-26
    modified2018-11-21
    published2018-11-21
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/47164
    titleLinux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (cron Method)
  • fileexploits/linux/local/45915.rb
    idEDB-ID:45915
    last seen2018-11-30
    modified2018-11-29
    platformlinux
    port
    published2018-11-29
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/45915
    titleLinux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)
    typelocal
  • idEDB-ID:47165
    last seen2019-07-26
    modified2019-01-04
    published2019-01-04
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/47165
    titleLinux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (dbus Method)
  • fileexploits/linux/local/45886.txt
    idEDB-ID:45886
    last seen2018-11-30
    modified2018-11-16
    platformlinux
    port
    published2018-11-16
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/45886
    titleLinux - Broken uid/gid Mapping for Nested User Namespaces
    typelocal

Metasploit

descriptionThis module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package). This module has been tested successfully on: Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64; Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64); Linux Mint 19 kernel 4.15.0-20-generic (x86_64); Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64).
idMSF:EXPLOIT/LINUX/LOCAL/NESTED_NAMESPACE_IDMAP_LIMIT_PRIV_ESC
last seen2020-06-14
modified2019-11-03
published2018-11-20
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb
titleLinux Nested User Namespace idmap Limit Local Privilege Escalation

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3833-1.NASL
    descriptionJann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955) Philipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id119303
    published2018-11-30
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119303
    titleUbuntu 18.04 LTS : linux-aws vulnerabilities (USN-3833-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3835-1.NASL
    descriptionJann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972) Jann Horn discovered that the mremap() system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service (system crash), expose sensitive information, or possibly execute arbitrary code. (CVE-2018-18281) It was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445) Daniel Dadap discovered that the module loading implementation in the Linux kernel did not properly enforce signed module loading when booted with UEFI Secure Boot in some situations. A local privileged attacker could use this to execute untrusted code in the kernel. (CVE-2018-18653) Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955) Philipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id119338
    published2018-12-04
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119338
    titleUbuntu 18.10 : linux, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3835-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3836-1.NASL
    descriptionJann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955) Philipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id119339
    published2018-12-04
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119339
    titleUbuntu 18.04 LTS : linux, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3836-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3832-1.NASL
    descriptionJann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972) Jann Horn discovered that the mremap() system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service (system crash), expose sensitive information, or possibly execute arbitrary code. (CVE-2018-18281) It was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445) Daniel Dadap discovered that the module loading implementation in the Linux kernel did not properly enforce signed module loading when booted with UEFI Secure Boot in some situations. A local privileged attacker could use this to execute untrusted code in the kernel. (CVE-2018-18653) Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955) Philipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id119302
    published2018-11-30
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119302
    titleUbuntu 18.10 : linux-aws vulnerabilities (USN-3832-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3836-2.NASL
    descriptionUSN-3836-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955) Philipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id119340
    published2018-12-04
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119340
    titleUbuntu 16.04 LTS : linux-hwe, linux-gcp vulnerabilities (USN-3836-2)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/150489/nested_namespace_idmap_limit_priv_esc.rb.txt
idPACKETSTORM:150489
last seen2018-11-29
published2018-11-28
reporterBrendan Coles
sourcehttps://packetstormsecurity.com/files/150489/Linux-Nested-User-Namespace-idmap-Limit-Local-Privilege-Escalation.html
titleLinux Nested User Namespace idmap Limit Local Privilege Escalation

References