CVE-2020-8831

Public Exploit

World writable root owned lock file created in user controllable location

Description

Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport's lock file location. This file could then be used to escalate privileges, for example. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.

References

Link	Tags
https://launchpad.net/bugs/1862348	third party advisory exploit
https://usn.ubuntu.com/4315-1/	third party advisory
https://usn.ubuntu.com/4315-2/	third party advisory vendor advisory

Frequently Asked Questions

What is the severity of CVE-2020-8831?: CVE-2020-8831 has been scored as a medium severity vulnerability.
How to fix CVE-2020-8831?: To fix CVE-2020-8831, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-8831 being actively exploited in the wild?: It is possible that CVE-2020-8831 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-8831?: CVE-2020-8831 affects Canonical Apport.

Description

Categories

CWE-379 – Creation of Temporary File in Directory with Insecure Permissions

CWE-59 – Improper Link Resolution Before File Access ('Link Following')

References

Frequently Asked Questions