CVE-2018-13405
Publication date 6 July 2018
Last updated 24 July 2024
Ubuntu priority
The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.
From the Ubuntu Security Team
It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| linux | ||
| 18.04 LTS bionic |
Fixed 4.15.0-33.36
|
|
| 16.04 LTS xenial |
Fixed 4.4.0-134.160
|
|
| 14.04 LTS trusty |
Fixed 3.13.0-157.207
|
|
| linux-aws | ||
| 18.04 LTS bionic |
Fixed 4.15.0-1020.20
|
|
| 16.04 LTS xenial |
Fixed 4.4.0-1066.76
|
|
| 14.04 LTS trusty |
Fixed 4.4.0-1028.31
|
|
| linux-azure | ||
| 18.04 LTS bionic |
Fixed 4.15.0-1022.23
|
|
| 16.04 LTS xenial |
Fixed 4.15.0-1022.22~16.04.1
|
|
| 14.04 LTS trusty |
Not affected
|
|
| linux-azure-edge | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 4.15.0-1022.23
|
|
| 14.04 LTS trusty | Not in release | |
| linux-euclid | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Not in release | |
| linux-flo | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Not in release | |
| linux-gcp | ||
| 18.04 LTS bionic |
Fixed 4.15.0-1018.19
|
|
| 16.04 LTS xenial |
Fixed 4.15.0-1018.19~16.04.2
|
|
| 14.04 LTS trusty | Not in release | |
| linux-gke | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Not in release | |
| linux-goldfish | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Not in release | |
| linux-grouper | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-hwe | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 4.15.0-33.36~16.04.1
|
|
| 14.04 LTS trusty | Not in release | |
| linux-hwe-edge | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 4.15.0-33.36~16.04.1
|
|
| 14.04 LTS trusty | Not in release | |
| linux-kvm | ||
| 18.04 LTS bionic |
Fixed 4.15.0-1020.20
|
|
| 16.04 LTS xenial |
Fixed 4.4.0-1032.38
|
|
| 14.04 LTS trusty | Not in release | |
| linux-lts-trusty | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-utopic | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-vivid | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-wily | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-xenial | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Fixed 4.4.0-134.160~14.04.1
|
|
| linux-maguro | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-mako | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Not in release | |
| linux-manta | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-oem | ||
| 18.04 LTS bionic |
Fixed 4.15.0-1017.20
|
|
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Not in release | |
| linux-raspi2 | ||
| 18.04 LTS bionic |
Fixed 4.15.0-1021.23
|
|
| 16.04 LTS xenial |
Fixed 4.4.0-1095.103
|
|
| 14.04 LTS trusty | Not in release | |
| linux-snapdragon | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 4.4.0-1099.104
|
|
| 14.04 LTS trusty | Not in release |
Notes
tyhicks
While inode_init_owner() has only been vulnerable since its introduction in a1bd120d13e586ea1c424048fd2c8420a442852a, this flaw has been present in individual filesystems since the beginning of the kernel git history.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3753-1
- Linux kernel vulnerabilities
- 24 August 2018
- USN-3752-2
- Linux kernel (HWE) vulnerabilities
- 24 August 2018
- USN-3752-1
- Linux kernel vulnerabilities
- 24 August 2018
- USN-3753-2
- Linux kernel (Xenial HWE) vulnerabilities
- 24 August 2018
- USN-3752-3
- Linux kernel (Azure, GCP, OEM) vulnerabilities
- 28 August 2018
- USN-3754-1
- Linux kernel vulnerabilities
- 24 August 2018