Vulnerability Name:

CVE-2018-10900 (CCN-147139)

Assigned:2018-07-20
Published:2018-07-20
Updated:2020-12-04
Summary:Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.
CVSS v3 Severity:7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.2 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.2 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-78
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2018-10900

Source: CCN
Type: oss-sec Mailing List, Fri, 20 Jul 2018 11:38:39 +0200
CVE-2018-10900: NetworkManager-vpnc-1.2.4 local privilege escalation

Source: CONFIRM
Type: Exploit, Issue Tracking, Third Party Advisory
https://bugzilla.novell.com/show_bug.cgi?id=1101147

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10900

Source: CONFIRM
Type: Third Party Advisory, Vendor Advisory
https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.news

Source: XF
Type: UNKNOWN
gnome-cve201810900-priv-esc(147139)

Source: CCN
Type: GNOME GIT Repository
service: disallow newlinies in configuration values (CVE-2018-10900)

Source: CONFIRM
Type: Patch, Third Party Advisory, Vendor Advisory
https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4

Source: MLIST
Type: Third Party Advisory
[debian-lts-announce] 20180731 [SECURITY] [DLA 1454-1] network-manager-vpnc security update

Source: CCN
Type: Packet Storm Security [07-23-2018]
Network Manager VPNC 1.2.4 Privilege Escalation

Source: CCN
Type: Packet Storm Security [08-31-2018]
Network Manager VPNC Username Privilege Escalation

Source: MISC
Type: Exploit, Third Party Advisory
https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc

Source: GENTOO
Type: Third Party Advisory
GLSA-201808-03

Source: DEBIAN
Type: Third Party Advisory
DSA-4253

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [08-31-2018]

Source: EXPLOIT-DB
Type: Exploit, Third Party Advisory, VDB Entry
45313

Source: CCN
Type: Rapid7 Web site
Network Manager VPNC Username Privilege Escalation

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-10900

Vulnerable Configuration:Configuration 1:
  • cpe:/a:gnome:network_manager_vpnc:*:*:*:*:*:*:*:* (Version < 1.2.6)

  • Configuration 2:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:201810900
    V
    CVE-2018-10900
    2022-06-30
    oval:org.opensuse.security:def:111914
    P
    NetworkManager-vpnc-1.2.6-4.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:105482
    P
    NetworkManager-vpnc-1.2.6-4.1 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:47363
    P
    libjbig2-2.0-12.13 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47427
    P
    libvirt-3.3.0-4.28 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47003
    P
    libXvnc1-1.6.0-12.6 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47458
    P
    pam-modules-12.1-23.12 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47217
    P
    busybox-1.21.1-3.3 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47529
    P
    xdg-utils-20140630-5.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47301
    P
    krb5-1.12.5-39.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48167
    P
    libpango-1_0-0-1.40.1-9.5 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48221
    P
    libvte9-0.28.2-19.7 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:55217
    P
    Security update for arpwatch (Important)
    2021-06-28
    oval:org.opensuse.security:def:12328
    P
    puppet-3.8.5-14.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:12252
    P
    libproxy1-0.4.13-16.3 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:46856
    P
    tcpdump-4.5.1-7.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:12375
    P
    xen-4.9.0_08-2.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:12390
    P
    MozillaFirefox-52.9.0esr-109.38.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:12551
    P
    libgnomesu-2.0.0-353.6.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:12409
    P
    bzip2-1.0.6-29.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:12560
    P
    libjasper1-1.900.14-195.8.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:12484
    P
    hyper-v-7-7.5 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:12573
    P
    liblua5_2-5.2.4-6.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:12509
    P
    libX11-6-1.6.2-12.5.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:46441
    P
    ibus-chewing-1.4.10.1-2.17 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:12260
    P
    libreoffice-5.2.5.1-42.13 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:46633
    P
    cpp48-4.8.5-24.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:12282
    P
    libvirglrenderer0-0.5.0-11.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:46765
    P
    libqt4-32bit-4.8.6-4.2 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:26053
    P
    Security update for libxml2 (Important)
    2021-05-19
    oval:org.opensuse.security:def:13211
    P
    wpa_supplicant-2.6-15.10.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:13233
    P
    docker-1.6.2-31.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:55136
    P
    gstreamer-plugins-bad on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:24623
    P
    Security update for clamav (Important)
    2020-12-01
    oval:org.opensuse.security:def:54824
    P
    libHX28 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:24686
    P
    Security update for tomcat (Important)
    2020-12-01
    oval:org.opensuse.security:def:53694
    P
    Security update for nodejs10 (Important)
    2020-12-01
    oval:org.opensuse.security:def:54932
    P
    libsrtp1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56493
    P
    Security update for xen (Important)
    2020-12-01
    oval:org.opensuse.security:def:24812
    P
    Security update for ImageMagick (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:53716
    P
    Security update for ucode-intel (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:24613
    P
    Security update for w3m (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56567
    P
    Recommended update for NetworkManager-vpnc (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:24893
    P
    Security update for ovmf (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:53856
    P
    Security update for MozillaThunderbird (Important)
    2020-12-01
    oval:org.opensuse.security:def:46308
    P
    Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP3) (Important)
    2020-12-01
    oval:org.opensuse.security:def:24949
    P
    Security update for postgresql10 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:54094
    P
    pam_ssh on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:46321
    P
    Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)
    2020-12-01
    oval:org.opensuse.security:def:25322
    P
    Security update for tigervnc (Critical)
    2020-12-01
    oval:org.opensuse.security:def:53693
    P
    Security update for perl-DBI (Important)
    2020-12-01
    oval:org.opensuse.security:def:25032
    P
    Security update for bind (Important)
    2020-12-01
    oval:org.opensuse.security:def:54267
    P
    libgcrypt20 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25336
    P
    Security update for gcc10 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55024
    P
    tftp on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25182
    P
    Security update for krb5-appl (Important)
    2020-12-01
    oval:org.opensuse.security:def:54373
    P
    rpcbind on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25380
    P
    Security update for apache2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55098
    P
    elfutils on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:46307
    P
    Security update for openldap2 (Important)
    2020-12-01
    oval:org.opensuse.security:def:25235
    P
    Security update for java-1_7_1-ibm (Important)
    2020-12-01
    oval:org.opensuse.security:def:54539
    P
    libdmx1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26018
    P
    Security update for freerdp (Important)
    2020-12-01
    oval:org.opensuse.security:def:79201
    P
    Recommended update for NetworkManager-vpnc (Moderate)
    2018-08-10
    oval:com.ubuntu.bionic:def:201810900000
    V
    CVE-2018-10900 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-07-26
    oval:com.ubuntu.bionic:def:2018109000000000
    V
    CVE-2018-10900 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-07-26
    oval:com.ubuntu.trusty:def:201810900000
    V
    CVE-2018-10900 on Ubuntu 14.04 LTS (trusty) - medium.
    2018-07-26
    oval:com.ubuntu.xenial:def:2018109000000000
    V
    CVE-2018-10900 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-07-26
    oval:com.ubuntu.xenial:def:201810900000
    V
    CVE-2018-10900 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-07-26
    oval:com.ubuntu.artful:def:201810900000
    V
    CVE-2018-10900 on Ubuntu 17.10 (artful) - medium.
    2018-07-20
    BACK
    gnome network manager vpnc *
    debian debian linux 8.0
    debian debian linux 9.0