Vulnerability Name:

CVE-2013-1060 (CCN-87541)

Assigned:2013-07-31
Published:2013-07-31
Updated:2013-10-02
Summary:A certain Ubuntu build procedure for perf, as distributed in the Linux kernel packages in Ubuntu 10.04 LTS, 12.04 LTS, 12.10, 13.04, and 13.10, sets the HOME environment variable to the ~buildd directory and consequently reads the system configuration file from the ~buildd directory, which allows local users to gain privileges by leveraging control over the buildd account.
CVSS v3 Severity:9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
5.1 Medium (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.9 Medium (CCN CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
5.1 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-264
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2013-1060

Source: CONFIRM
Type: Vendor Advisory
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1060.html

Source: CCN
Type: The Linux Kernel Archives Web site
The Linux Kernel Archives

Source: CCN
Type: BID-62248
Linux Kernel 'perf' Utility CVE-2013-1060 Local Privilege Escalation Vulnerability

Source: UBUNTU
Type: UNKNOWN
USN-1938-1

Source: UBUNTU
Type: UNKNOWN
USN-1939-1

Source: UBUNTU
Type: UNKNOWN
USN-1941-1

Source: UBUNTU
Type: UNKNOWN
USN-1942-1

Source: UBUNTU
Type: UNKNOWN
USN-1943-1

Source: UBUNTU
Type: UNKNOWN
USN-1944-1

Source: UBUNTU
Type: UNKNOWN
USN-1945-1

Source: UBUNTU
Type: UNKNOWN
USN-1946-1

Source: UBUNTU
Type: UNKNOWN
USN-1947-1

Source: XF
Type: UNKNOWN
linux-kernel-cve20131060-priv-esc(87541)

Source: CONFIRM
Type: UNKNOWN
https://launchpad.net/bugs/1206200

Source: CCN
Type: Ubuntu Mailing Lists, Wed Jul 31 18:09:25 UTC 2013
[CVE-2013-1060] perf configuration file vunerability

Source: MLIST
Type: UNKNOWN
[kernel-team] 20130731 [CVE-2013-1060] perf configuration file vunerability

Source: MLIST
Type: UNKNOWN
[kernel-team] 20130731 [lucid CVE 1/1] UBUNTU: [Packaging] supply perf with appropriate prefix to ensure use of local config

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-1060

Vulnerable Configuration:Configuration 1:
  • cpe:/o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
  • AND
  • cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:27018
    P
    		USN-1946-1 -- Linux kernel (OMAP4) vulnerabilities
    2014-12-08
    oval:org.mitre.oval:def:19027
    P
    		USN-1938-1 -- linux vulnerabilities
    2014-07-07
    oval:org.mitre.oval:def:18799
    P
    		USN-1945-1 -- linux-ti-omap4 vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:18897
    P
    		USN-1944-1 -- linux vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:18044
    P
    		USN-1940-1 -- linux-ec2 vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:18861
    P
    		USN-1939-1 -- linux vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:18298
    P
    		USN-1942-1 -- linux-ti-omap4 vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:18870
    P
    		USN-1941-1 -- linux vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:18721
    P
    		USN-1947-1 -- linux-lts-quantal vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:18895
    P
    		USN-1943-1 -- linux-lts-raring vulnerabilities
    2014-06-30
    oval:com.ubuntu.xenial:def:201310600000000
    V
    		CVE-2013-1060 on Ubuntu 16.04 LTS (xenial) - medium.
    2013-09-25
    oval:com.ubuntu.artful:def:20131060000
    V
    		CVE-2013-1060 on Ubuntu 17.10 (artful) - medium.
    2013-09-25
    oval:com.ubuntu.precise:def:20131060000
    V
    		CVE-2013-1060 on Ubuntu 12.04 LTS (precise) - medium.
    2013-09-25
    oval:com.ubuntu.trusty:def:20131060000
    V
    		CVE-2013-1060 on Ubuntu 14.04 LTS (trusty) - medium.
    2013-09-25
    oval:com.ubuntu.xenial:def:20131060000
    V
    		CVE-2013-1060 on Ubuntu 16.04 LTS (xenial) - medium.
    2013-09-25
    BACK
    canonical ubuntu linux 10.04 -
    canonical ubuntu linux 12.04 -
    canonical ubuntu linux 12.10
    canonical ubuntu linux 13.04
    canonical ubuntu linux 13.10
    canonical ubuntu linux 10.04
    canonical ubuntu linux 12.04
    canonical ubuntu linux 12.10
    canonical ubuntu linux 13.10
    canonical ubuntu linux 13.04
    linux linux kernel -