search menu icon-carat-right cmu-wordmark

CERT Coordination Center


util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility

Vulnerability Note VU#405955

Original Release Date: 2002-07-29 | Last Revised: 2003-05-30

Overview

The util-linux package contains a race condition vulnerability that can be used to elevate privileges on the system.

Description

util-linux is shipped with Red Hat Linux and numerous other Linux distributions. It contains a collection of utility programs, such as fstab, mkfs, and chfn. The BindView RAZOR Team has discovered that because setpwnam.c inadequately locks a temporary file used when making changes to /etc/passwd, a race condition can be used to elevate privileges on the system.

For further details, please see the Bindview Advisory.

Impact

A local user may be able to elevate their privileges on the system.

Solution

Apply a patch from your vendor, or, an immediate workaround (provided by BindView) is to remove setuid flags from /usr/bin/chfn and /usr/bin/chsh. To remediate the vulnerability, patch the source code as follows.

--- util-linux-2.11n-old/login-utils/setpwnam.c Mon Jul 31 08:50:39 2000
+++ util-linux-2.11n/login-utils/setpwnam.c     Wed Jun 12 21:37:12 2002
@@ -98,7 +98,8 @@
    /* sanity check */
    for (x = 0; x < 3; x++) {
       if (x > 0) sleep(1);
-       fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT, 0644);
+        // Never share the temporary file.
+       fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT|O_EXCL, 0644);
       if (fd == -1) {
           umask(oldumask);
           return -1;

Vendor Information

405955
Expand all

Red Hat Inc.

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Vulnerable

Vendor Statement

Red Hat distributes the util-linux package in all Red Hat Linux distributions. Updated packages containing a fix for this vulnerability will be available along with our advisory at the URL below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool.

http://rhn.redhat.com/errata/RHSA-2002-132.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  June 26, 2002 Updated:  July 17, 2002

Status

  Vulnerable

Vendor Statement

This issue affects the following Sun Cobalt platforms:

Sun Cobalt RaQ
Sun Cobalt RaQ 2
Sun Cobalt RaQ 3
Sun Cobalt RaQ 4
Sun Cobalt RaQ 550
Sun Cobalt RaQ XTR
Sun Cobalt Cache RaQ series
Sun Cobalt Qube
Sun Cobalt Qube 2
Sun Cobalt Qube 3
Sun Cobalt Control Station

Sun Cobalt are generating patches for this issue presently which will be
available for download from:

http://sunsolve.sun.com/patches/cobalt

A SunAlert will be published which details the issue and the patch
information which will be available from:

http://sunsolve.sun.com/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux)

Notified:  June 26, 2002 Updated:  October 30, 2002

Status

  Vulnerable

Vendor Statement

Caldera OpenLinux is vulnerable to this race condition, and we are preparing a fix.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please also see ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2002-043.0.txt.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel

Notified:  June 26, 2002 Updated:  July 24, 2002

Status

  Not Vulnerable

Vendor Statement

In relation to this CERT advisory on security vulnerabilities in util-linux, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. An initial analysis has shown that none of our products is affected when used as delivered to customers. The security of our customers' networks is of highest priority for Alcatel. Therefore, investigations are going on and updates will be provided if necessary. Customers may contact their Alcatel support representative for more details.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Not Vulnerable

Vendor Statement

Cray, Inc. is not vulnerable to this problem because chfn is not accessible to any users of our products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  June 26, 2002 Updated:  June 27, 2002

Status

  Not Vulnerable

Vendor Statement

Debian does not ship any of the util-linux login-utils tools; instead we use the corresponding tools from the 'shadow' package, which use a different locking technique.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  June 26, 2002 Updated:  July 17, 2002

Status

  Not Vulnerable

Vendor Statement

IBM's AIX operating system is not vulnerable to the above issues. While IBM does supply open source packages for AIX through the AIX Toolbox for Linux Applications, the util-linux package is not one of them.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software

Notified:  June 26, 2002 Updated:  July 11, 2002

Status

  Not Vulnerable

Vendor Statement

Lotus does not ship any Linux distributions.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  June 26, 2002 Updated:  July 12, 2002

Status

  Not Vulnerable

Vendor Statement

This vulnerability does not affect us.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  June 26, 2002 Updated:  July 12, 2002

Status

  Not Vulnerable

Vendor Statement

NetBSD is not affected by this issue. Password locking functions in NetBSD are provided by libutil. The lock file has been opened O_EXCL in libutil since at least May, 1996 - we did not check further back, since that covers NetBSD 1.2 and later.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Updated:  August 15, 2002

Status

  Not Vulnerable

Vendor Statement

Openwall GNU/*/Linux (Owl) is not vulnerable. We're using a version of chfn(1) utility from the shadow suite (with our modifications) rather than one from util-linux. This decision was made during Owl development specifically to ensure compatible password file locking across the system as a whole. Additionally, on Owl, chfn(1) isn't available to regular users by default, although that is a supported owl-control setting.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  June 26, 2002 Updated:  July 15, 2002

Status

  Not Vulnerable

Vendor Statement

SuSE Linux is not vulnerable to this issue, as we do no use the passwd utility from util-linux. Instead, we are using the ones from the shadow or pwdutils suite, which properly opens the file with O_EXCL (in addition to using lockpwdf).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xerox Corporation

Notified:  June 26, 2002 Updated:  May 30, 2003

Status

  Not Vulnerable

Vendor Statement

A response to this vulnerability is available from our web site: http://www.xerox.com/security

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3Com

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc.

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc.

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Computer Associates

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  June 26, 2002 Updated:  June 27, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lachman

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent Technologies

Notified:  June 26, 2002 Updated:  June 27, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Multinet

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisphere Networks

Notified:  June 26, 2002 Updated:  June 28, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc.

Notified:  June 26, 2002 Updated:  July 10, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Michal Zalewski, BindView RAZOR, for reporting this vulnerability.

This document was written by Ian A Finlay.

Other Information

CVE IDs: CVE-2002-0638
Severity Metric: 10.97
Date Public: 2002-07-29
Date First Published: 2002-07-29
Date Last Updated: 2003-05-30 17:13 UTC
Document Revision: 18

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.