CVE-2018-13405

Public Exploit

Description

The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.

References

Link	Tags
https://usn.ubuntu.com/3752-2/	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:3083	third party advisory vendor advisory
https://usn.ubuntu.com/3752-3/	third party advisory vendor advisory
https://twitter.com/grsecurity/status/1015082951204327425	third party advisory
https://usn.ubuntu.com/3753-2/	third party advisory vendor advisory
https://usn.ubuntu.com/3754-1/	third party advisory vendor advisory
http://openwall.com/lists/oss-security/2018/07/13/2	patch mailing list third party advisory
https://access.redhat.com/errata/RHSA-2018:2948	third party advisory vendor advisory
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7	patch vendor advisory
https://lists.debian.org/debian-lts-announce/2018/08/msg00014.html	third party advisory mailing list
https://www.exploit-db.com/exploits/45033/	third party advisory vdb entry exploit
https://www.debian.org/security/2018/dsa-4266	third party advisory vendor advisory
http://www.securityfocus.com/bid/106503	vdb entry broken link
https://usn.ubuntu.com/3752-1/	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:3096	third party advisory vendor advisory
https://usn.ubuntu.com/3753-1/	third party advisory vendor advisory
https://github.com/torvalds/linux/commit/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7	third party advisory patch
https://access.redhat.com/errata/RHSA-2019:0717	third party advisory vendor advisory
https://support.f5.com/csp/article/K00854051	third party advisory
https://access.redhat.com/errata/RHSA-2019:2476	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2019:2566	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2019:2696	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2019:2730	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2019:4159	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2019:4164	third party advisory vendor advisory
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=0b3369840cd61c23e2b9241093737b4c395cb406	patch vendor advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKKIAUMR5FAYLZ7HLEPOXMKAAE3BYBQ/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRBNBX73SAFKQWBOX76SLMWPTKJPVGEJ/	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2018-13405?: CVE-2018-13405 has been scored as a high severity vulnerability.
How to fix CVE-2018-13405?: To fix CVE-2018-13405, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2018-13405 being actively exploited in the wild?: It is possible that CVE-2018-13405 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-269 – Improper Privilege Management

References

Frequently Asked Questions