Vulnerability CVE-2016-4989

Vulnerability Name:

CVE-2016-4989 (CCN-114405)

Assigned:

2016-06-21

Published:

2016-06-21

Updated:

2017-04-17

Summary:

setroubleshoot allows local users to bypass an intended container protection mechanism and execute arbitrary commands by (1) triggering an SELinux denial with a crafted file name, which is handled by the _set_tpath function in audit_data.py or via a crafted (2) local_id or (3) analysis_id field in a crafted XML document to the run_fix function in SetroubleshootFixit.py, related to the subprocess.check_output and commands.getstatusoutput functions, a different vulnerability than CVE-2016-4445.

CVSS v3 Severity:

7.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.3 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

6.9 Medium (REDHAT CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-77

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2016-4989

Source: CCN
Type: RHSA-2016-1267
Important: setroubleshoot and setroubleshoot-plugins security update

Source: CCN
Type: RHSA-2016-1293
Important: setroubleshoot and setroubleshoot-plugins security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20160621 SELinux troubles

Source: SECTRACK
Type: Patch, Third Party Advisory
1036144

Source: CCN
Type: SECTRACK ID: 1036144
SETroubleShoot allow_execmod Plugin Lets Local Users Obtain Root Privileges

Source: REDHAT
Type: Third Party Advisory
RHSA-2016:1293

Source: CONFIRM
Type: Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1346461

Source: XF
Type: UNKNOWN
setroubleshoot-cve20164989-priv-esc(114405)

Source: CCN
Type: Fedorahosted Web site
SELinux Trouble Shooting Tool (SETroubleShoot)

Source: CCN
Type: setroubleshoot GIT Repository
fedora-selinux/setroubleshoot

Source: CONFIRM
Type: Patch
https://github.com/fedora-selinux/setroubleshoot/commit/dda55aa50db95a25f0d919c3a0d5871827cdc40f

Source: CONFIRM
Type: Patch
https://github.com/fedora-selinux/setroubleshoot/commit/e69378d7e82a503534d29c5939fa219341e8f2ad

Source: REDHAT
Type: Third Party Advisory
RHSA-2016:1267

Vulnerable Configuration:

Configuration 1:

cpe:/a:setroubleshoot_project:setroubleshoot:*:*:*:*:*:*:*:* (Version <= -)

Configuration 2:

cpe:/o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 7:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 8:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:selinux:setroubleshoot:*:*:*:*:*:*:*:*

AND

cpe:/o:redhat:enterprise_linux_desktop:7:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server:7:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_workstation:7:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_desktop:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_workstation:6:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.redhat.rhsa:def:20161293	P	RHSA-2016:1293: setroubleshoot and setroubleshoot-plugins security update (Important)	2016-06-23
oval:com.redhat.rhsa:def:20161267	P	RHSA-2016:1267: setroubleshoot and setroubleshoot-plugins security update (Important)	2016-06-21

BACK