Vulnerabilities > CVE-2018-18955 - Incorrect Authorization vulnerability in multiple products
Attack vector
LOCAL Attack complexity
HIGH Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
id EDB-ID:47166 last seen 2019-07-26 modified 2018-11-21 published 2018-11-21 reporter Exploit-DB source https://www.exploit-db.com/download/47166 title Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (ldpreload Method) id EDB-ID:47167 last seen 2019-07-26 modified 2019-01-04 published 2019-01-04 reporter Exploit-DB source https://www.exploit-db.com/download/47167 title Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method) id EDB-ID:47164 last seen 2019-07-26 modified 2018-11-21 published 2018-11-21 reporter Exploit-DB source https://www.exploit-db.com/download/47164 title Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (cron Method) file exploits/linux/local/45915.rb id EDB-ID:45915 last seen 2018-11-30 modified 2018-11-29 platform linux port published 2018-11-29 reporter Exploit-DB source https://www.exploit-db.com/download/45915 title Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit) type local id EDB-ID:47165 last seen 2019-07-26 modified 2019-01-04 published 2019-01-04 reporter Exploit-DB source https://www.exploit-db.com/download/47165 title Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (dbus Method) file exploits/linux/local/45886.txt id EDB-ID:45886 last seen 2018-11-30 modified 2018-11-16 platform linux port published 2018-11-16 reporter Exploit-DB source https://www.exploit-db.com/download/45886 title Linux - Broken uid/gid Mapping for Nested User Namespaces type local
Metasploit
| description | This module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package). This module has been tested successfully on: Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64; Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64); Linux Mint 19 kernel 4.15.0-20-generic (x86_64); Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64). |
| id | MSF:EXPLOIT/LINUX/LOCAL/NESTED_NAMESPACE_IDMAP_LIMIT_PRIV_ESC |
| last seen | 2020-06-14 |
| modified | 2019-11-03 |
| published | 2018-11-20 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb |
| title | Linux Nested User Namespace idmap Limit Local Privilege Escalation |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3833-1.NASL description Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955) Philipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 119303 published 2018-11-30 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119303 title Ubuntu 18.04 LTS : linux-aws vulnerabilities (USN-3833-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3835-1.NASL description Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972) Jann Horn discovered that the mremap() system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service (system crash), expose sensitive information, or possibly execute arbitrary code. (CVE-2018-18281) It was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445) Daniel Dadap discovered that the module loading implementation in the Linux kernel did not properly enforce signed module loading when booted with UEFI Secure Boot in some situations. A local privileged attacker could use this to execute untrusted code in the kernel. (CVE-2018-18653) Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955) Philipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 119338 published 2018-12-04 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119338 title Ubuntu 18.10 : linux, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3835-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3836-1.NASL description Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955) Philipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 119339 published 2018-12-04 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119339 title Ubuntu 18.04 LTS : linux, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3836-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3832-1.NASL description Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972) Jann Horn discovered that the mremap() system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service (system crash), expose sensitive information, or possibly execute arbitrary code. (CVE-2018-18281) It was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445) Daniel Dadap discovered that the module loading implementation in the Linux kernel did not properly enforce signed module loading when booted with UEFI Secure Boot in some situations. A local privileged attacker could use this to execute untrusted code in the kernel. (CVE-2018-18653) Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955) Philipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 119302 published 2018-11-30 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119302 title Ubuntu 18.10 : linux-aws vulnerabilities (USN-3832-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3836-2.NASL description USN-3836-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955) Philipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 119340 published 2018-12-04 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119340 title Ubuntu 16.04 LTS : linux-hwe, linux-gcp vulnerabilities (USN-3836-2)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/150489/nested_namespace_idmap_limit_priv_esc.rb.txt |
| id | PACKETSTORM:150489 |
| last seen | 2018-11-29 |
| published | 2018-11-28 |
| reporter | Brendan Coles |
| source | https://packetstormsecurity.com/files/150489/Linux-Nested-User-Namespace-idmap-Limit-Local-Privilege-Escalation.html |
| title | Linux Nested User Namespace idmap Limit Local Privilege Escalation |
References
- https://github.com/torvalds/linux/commit/d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.19
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd
- http://www.securityfocus.com/bid/105941
- https://www.exploit-db.com/exploits/45886/
- https://usn.ubuntu.com/3833-1/
- https://usn.ubuntu.com/3832-1/
- https://www.exploit-db.com/exploits/45915/
- https://usn.ubuntu.com/3836-2/
- https://usn.ubuntu.com/3836-1/
- https://usn.ubuntu.com/3835-1/
- https://support.f5.com/csp/article/K39103040
- https://security.netapp.com/advisory/ntap-20190416-0003/