CVE-2024-43882
- ULN >
- Oracle Linux CVE repository >
- CVE-2024-43882
CVE Details
| Release Date: | 2024-08-21 |
Description
In the Linux kernel, the following vulnerability has been resolved:\nexec: Fix ToCToU between perm check and set-uid/gid usage\nWhen opening a file for exec via do_filp_open(), permission checking is\ndone against the file's metadata at that moment, and on success, a file\npointer is passed back. Much later in the execve() code path, the file\nmetadata (specifically mode, uid, and gid) is used to determine if/how\nto set the uid and gid. However, those values may have changed since the\npermissions check, meaning the execution may gain unintended privileges.\nFor example, if a file could change permissions from executable and not\nset-id:\n---------x 1 root root 16048 Aug 7 13:16 target\nto set-id and non-executable:\n---S------ 1 root root 16048 Aug 7 13:16 target\nit is possible to gain root privileges when execution should have been\ndisallowed.\nWhile this race condition is rare in real-world scenarios, it has been\nobserved (and proven exploitable) when package managers are updating\nthe setuid bits of installed programs. Such files start with being\nworld-executable but then are adjusted to be group-exec with a set-uid\nbit. For example, 'chmod o-x,u+s target' makes 'target' executable only\nby uid 'root' and gid 'cdrom', while also becoming setuid-root:\n-rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target\nbecomes:\n-rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target\nBut racing the chmod means users without group 'cdrom' membership can\nget the permission to execute 'target' just before the chmod, and when\nthe chmod finishes, the exec reaches brpm_fill_uid(), and performs the\nsetuid to root, violating the expressed authorization of 'only cdrom\ngroup members can setuid to root'.\nRe-check that we still have execute permissions in case the metadata\nhas changed. It would be better to keep a copy from the perm-check time,\nbut until we can do that refactoring, the least-bad option is to do a\nfull inode_permission() call (under inode lock). It is understood that\nthis is safe against dead-locks, but hardly optimal.
See more information about CVE-2024-43882 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v3 metrics
| Base Score: | 7.0 |
| Vector String: | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Version: | 3.1 |
| Attack Vector: | Local |
| Attack Complexity: | High |
| Privileges Required: | Low |
| User Interaction: | None |
| Scope: | Unchanged |
| Confidentiality: | High |
| Integrity: | High |
| Availability: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12780 | 2024-10-11 |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12782 | 2024-10-14 |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12868 | 2024-12-06 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12780 | 2024-10-11 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12782 | 2024-10-14 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12815 | 2024-11-11 |
| Oracle Linux version 9 (kernel-uek) | ELSA-2024-12815 | 2024-11-11 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
