CVE-2019-3461 - OpenCVE

Debian tmpreaper version 1.6.13+nmu1 has a race condition when doing a (bind) mount via rename() which could result in local privilege escalation. Mounting via rename() could potentially lead to a file being placed elsewhereon the filesystem hierarchy (e.g. /etc/cron.d/) if the directory being cleaned up was on the same physical filesystem. Fixed versions include 1.6.13+nmu1+deb9u1 and 1.6.14.

No CVSS v3.1

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Tmpreaper Debian Linux

Configuration 1 [-]

cpe:2.3:a:debian:tmpreaper:1.6.13\+nmu1:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

References

Link	Resource
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918956	Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2019/01/msg00017.html	Vendor Advisory
https://lists.debian.org/debian-security-announce/2019/msg00003.html	Mailing List Vendor Advisory
https://usn.ubuntu.com/4077-1/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: debian

Published: 2019-01-10T00:00:00

Updated: 2019-07-29T19:06:06

Reserved: 2018-12-31T00:00:00

Link: CVE-2019-3461

JSON object: View

NVD Information

Status : Modified

Published: 2019-02-04T18:29:00.247

Modified: 2019-07-29T20:15:12.513

Link: CVE-2019-3461

JSON object: View

Redhat Information

No data.

CWE

CWE-362

{"containers": {"cna": {"affected": [{"product": "tmpreaper", "vendor": "Debian GNU/Linux", "versions": [{"status": "affected", "version": "1.6.13+nmu1"}]}], "datePublic": "2019-01-10T00:00:00", "descriptions": [{"lang": "en", "value": "Debian tmpreaper version 1.6.13+nmu1 has a race condition when doing a (bind) mount via rename() which could result in local privilege escalation. Mounting via rename() could potentially lead to a file being placed elsewhereon the filesystem hierarchy (e.g. /etc/cron.d/) if the directory being cleaned up was on the same physical filesystem. Fixed versions include 1.6.13+nmu1+deb9u1 and 1.6.14."}], "problemTypes": [{"descriptions": [{"description": "Local privilege escalation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-29T19:06:06", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"name": "[debian-lts-announce] 20190124 [SECURITY] [DLA 1640-1] tmpreaper security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00017.html"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918956"}, {"name": "DSA-4365", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://lists.debian.org/debian-security-announce/2019/msg00003.html"}, {"name": "USN-4077-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4077-1/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "DATE_PUBLIC": "2019-01-10T00:00:00", "ID": "CVE-2019-3461", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "tmpreaper", "version": {"version_data": [{"version_value": "1.6.13+nmu1"}]}}]}, "vendor_name": "Debian GNU/Linux"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Debian tmpreaper version 1.6.13+nmu1 has a race condition when doing a (bind) mount via rename() which could result in local privilege escalation. Mounting via rename() could potentially lead to a file being placed elsewhereon the filesystem hierarchy (e.g. /etc/cron.d/) if the directory being cleaned up was on the same physical filesystem. Fixed versions include 1.6.13+nmu1+deb9u1 and 1.6.14."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Local privilege escalation"}]}]}, "references": {"reference_data": [{"name": "[debian-lts-announce] 20190124 [SECURITY] [DLA 1640-1] tmpreaper security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00017.html"}, {"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918956", "refsource": "MISC", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918956"}, {"name": "DSA-4365", "refsource": "DEBIAN", "url": "https://lists.debian.org/debian-security-announce/2019/msg00003.html"}, {"name": "USN-4077-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4077-1/"}]}}}}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2019-3461", "datePublished": "2019-01-10T00:00:00", "dateReserved": "2018-12-31T00:00:00", "dateUpdated": "2019-07-29T19:06:06", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:debian:tmpreaper:1.6.13\\+nmu1:*:*:*:*:*:*:*", "matchCriteriaId": "375E8A83-2793-4AAA-8C1E-DFB9ACD1A655", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Debian tmpreaper version 1.6.13+nmu1 has a race condition when doing a (bind) mount via rename() which could result in local privilege escalation. Mounting via rename() could potentially lead to a file being placed elsewhereon the filesystem hierarchy (e.g. /etc/cron.d/) if the directory being cleaned up was on the same physical filesystem. Fixed versions include 1.6.13+nmu1+deb9u1 and 1.6.14."}, {"lang": "es", "value": "Debian tmpreaper, en su versi\u00f3n 1.6.13+nmu1, tiene una condici\u00f3n de carrera al realizar un montaje (bind) mediante rename(), lo que podr\u00eda resultar en el escalado de privilegios local. El montaje mediante rename() podr\u00eda conducir a que un archivo se coloque en otro lugar de la jerarqu\u00eda del sistema de archivos (p.ej., /etc/cron.d/) si el directorio que se est\u00e1 limpiando est\u00e1 en el mismo sistema de archivos f\u00edsico. Las versiones solucionadas incluyen la 1.6.13+nmu1+deb9u1 y la 1.6.14."}], "id": "CVE-2019-3461", "lastModified": "2019-07-29T20:15:12.513", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-04T18:29:00.247", "references": [{"source": "security@debian.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918956"}, {"source": "security@debian.org", "tags": ["Vendor Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00017.html"}, {"source": "security@debian.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.debian.org/debian-security-announce/2019/msg00003.html"}, {"source": "security@debian.org", "url": "https://usn.ubuntu.com/4077-1/"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}