Vulnerability CVE-2018-18955

Vulnerability Name:

CVE-2018-18955 (CCN-153056)

Assigned:

2018-11-05

Published:

2018-11-05

Updated:

2020-08-24

Summary:

In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.

CVSS v3 Severity:

7.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.8 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-863

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2018-18955

Source: MISC
Type: Patch, Vendor Advisory
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd

Source: BID
Type: Third Party Advisory, VDB Entry
105941

Source: MISC
Type: Patch, Third Party Advisory
https://bugs.chromium.org/p/project-zero/issues/detail?id=1712

Source: CCN
Type: Google Security Research Issue 1712
Linux: broken uid/gid mapping for nested user namespaces with >5 ranges

Source: CCN
Type: Launchpad Bug #1801924
CVE-2018-18955: nested user namespaces with more than five extents incorrectly grant privileges over inode

Source: MISC
Type: Patch, Vendor Advisory
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.19

Source: MISC
Type: Patch, Vendor Advisory
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2

Source: XF
Type: UNKNOWN
linux-kernel-cve201818955-priv-esc(153056)

Source: CCN
Type: Linux Kernel GIT Repository
userns: also map extents in the reverse map to kernel IDs

Source: MISC
Type: Patch, Vendor Advisory
https://github.com/torvalds/linux/commit/d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd

Source: CCN
Type: Packet Storm Security [11-16-2018]
Linux Broken UID/GID Mapping

Source: CCN
Type: Packet Storm Security [11-28-2018]
Linux Nested User Namespace idmap Limit Local Privilege Escalation

Source: CCN
Type: oss-sec Mailing List, Fri, 16 Nov 2018 00:38:18 +0100
Linux kernel: broken uid/gid mapping for nested user namespaces with >5 ranges (CVE-2018-18955; since 4.15; fixed in 4.18.19 and 4.19.2)

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20190416-0003/

Source: CONFIRM
Type: UNKNOWN
https://support.f5.com/csp/article/K39103040

Source: UBUNTU
Type: Third Party Advisory
USN-3832-1

Source: UBUNTU
Type: Third Party Advisory
USN-3833-1

Source: UBUNTU
Type: Third Party Advisory
USN-3835-1

Source: UBUNTU
Type: Third Party Advisory
USN-3836-1

Source: UBUNTU
Type: Third Party Advisory
USN-3836-2

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [11-16-2018]

Source: EXPLOIT-DB
Type: Exploit, Patch, Third Party Advisory, VDB Entry
45886

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [11-29-2018]

Source: EXPLOIT-DB
Type: Exploit, Third Party Advisory, VDB Entry
45915

Source: CCN
Type: Rapid7 Web site
Linux Nested User Namespace idmap Limit Local Privilege Escalation

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-18955

Vulnerable Configuration:

Configuration 1:

cpe:/o:linux:linux_kernel:*:*:*:*:*:*:*:* (Version >= 4.15 and < 4.19.2)

Configuration 2:

cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/o:linux:linux_kernel:4.0.5:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:3.18:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.bionic:def:201818955000	V	CVE-2018-18955 on Ubuntu 18.04 LTS (bionic) - medium.	2018-11-16
oval:com.ubuntu.cosmic:def:2018189550000000	V	CVE-2018-18955 on Ubuntu 18.10 (cosmic) - medium.	2018-11-16
oval:com.ubuntu.cosmic:def:201818955000	V	CVE-2018-18955 on Ubuntu 18.10 (cosmic) - medium.	2018-11-16
oval:com.ubuntu.bionic:def:2018189550000000	V	CVE-2018-18955 on Ubuntu 18.04 LTS (bionic) - medium.	2018-11-16
oval:com.ubuntu.trusty:def:201818955000	V	CVE-2018-18955 on Ubuntu 14.04 LTS (trusty) - medium.	2018-11-16
oval:com.ubuntu.xenial:def:2018189550000000	V	CVE-2018-18955 on Ubuntu 16.04 LTS (xenial) - medium.	2018-11-16
oval:com.ubuntu.xenial:def:201818955000	V	CVE-2018-18955 on Ubuntu 16.04 LTS (xenial) - medium.	2018-11-16

BACK