Red Hat Product Security has been made aware of two security vulnerabilities in the
userhelper utility (part of the
usermode package) and the
libuser library. Authenticated, local users with shell access could use one of these vulnerabilities to achieve local privilege escalation to the root user. These flaws have been assigned CVE-2015-3245 and CVE-2015-3246. The second vulnerability has been rated as having an Important impact. Red Hat would like to thank Qualys for reporting these issues.
libuser library implements a standardized interface for manipulating and administering user and group accounts. The
userhelper program, which is included in the
usermode package, provides a basic non-interactive interface for changing a user's password, the GECOS field, and shell.
See the following two sections for descriptions of the two related vulnerabilities.
Race condition in password file update (CVE-2015-3246, Important)
A flaw was found in the way the
libuser library handled the
/etc/passwd file. Even though traditional programs like
chsh work on a temporary copy of
/etc/passwd and eventually use the
rename() function to rename the temporary copy,
/etc/passwd directly. Unfortunately, if anything went wrong during these modifications,
libuser may have left
/etc/passwd in an inconsistent state.
This behavior could result in a local denial-of-service attack, or authenticated local users could use this vulnerability to escalate their privileges to the root user.
See the table below for links to security advisories that address this issue.
Lack of validation of GECOS field contents (CVE-2015-3245, Moderate)
It was found that the
chfn function of the
userhelper utility did not properly filter out newline characters. The
chfn function implemented by the
userhelper utility verified that the fields it was given on the command line were valid (that is, contain no forbidden characters). Unfortunately, these forbidden characters (
:,=) did not include the
\n character and allowed local attackers to inject newline characters into the
/etc/passwd file and alter this file in unexpected ways.
A local attacker could use this flaw to corrupt the
/etc/passwd file, which could result in a denial-of-service attack on the system.
Note: This issue, while initially attributed to the
usermode package, is being fixed with an update to
libuser had to be changed to address the CVE-2015-3246 vulnerability anyway.
All versions of the
libuser library included with Red Hat Enterprise Linux 6 and 7 are affected by these flaws. See the table below for links to respective security advisories that fix this issue:
|Red Hat Enterprise Linux 6||RHSA-2015:1482|
|Red Hat Enterprise Linux 7||RHSA-2015:1483|
This issue also affects Red Hat Enterprise Linux 5, which is now in Production 3 Phase of the support and maintenance life cycle. Therefore, the issue is not currently planned to be addressed in future updates on Red Hat Enterprise Linux 5. For additional information, refer to the Red Hat Enterprise Linux Life Cycle.
Atomic Host & Containers
All Red Hat released official container images include a vulnerable version of the
libuser library. Concerned users can use these containers' built-in yum functionality to update to fixed versions (see 'Resolution' below). This resolves the vulnerability. Updated builds of these containers reflecting these updates will be released soon.
Atomic Host includes a vulnerable version of the
libuser library. It is possible to update any containers hosted by Atomic to fixed versions of these packages using their built-in yum functionality. It is not possible to exploit Atomic host from within a container using these issues. The next cumulative update will include fixes for Atomic Host.
Cloud Images and Appliances
All Red Hat released official cloud and appliance images include a vulnerable version of the
libuser library. Concerned users can use these containers' built-in yum functionality to update to fixed versions (see 'Resolution' below). This resolves the vulnerability. Updated respins of these containers reflecting these updates will be released soon.
Amazon Web Services
Red Hat Enterprise Linux Amazon Machine Instances includes a vulnerable version of the
libuser library. It is possible to update any systems to fixed versions of these packages using their built-in yum functionality (see 'Resolution' below).
The Red Hat Enterprise Virtualization Hypervisor appliance images include a vulnerable version of the
libuser library. These images should only be used to host virtual machines and should not have untrusted local users.
It is not possible to attack RHEV-H hosts from within a virtual machine by exploiting these issues. A future update of the RHEV-H image will address this vulnerability.
To eliminate the possibility of exploitation, install the updated
libuser packages that have been made available through the advisories listed in the above table.
To install the updates, use the yum package manager as follows:
To only update the
libuser package and its dependencies, use:
yum update libuser
Due to the way
libuser works, only users who have accounts already listed in
/etc/passwd can exploit these vulnerabilities, and the user needs to supply the account password as part of the attack. These requirements mean that exploitation by accounts listed only in LDAP (or some other NSS data source), or by system accounts without a valid password is not possible.
On systems where updating
libuser is not possible, system administrators can add
pam_deny rules to the two files,
/etc/pam.d/chsh, to prevent non-root users from using the vulnerable services. With these edits, the files should contain:
#%PAM-1.0 auth sufficient pam_rootok.so auth required pam_warn.so auth required pam_deny.so auth include system-auth account include system-auth password include system-auth session include system-auth
Afterwards, attempts by unprivileged users to use
chsh (and the respective functionality in the
userhelper program) will fail, and will be logged (by default in