Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Red Hat Patches “libuser” Library Vulnerabilities

Red Hat has patched two vulnerabilities related to the “libuser” library, which could be exploited by a local attacker to escalate privileges to root.

Red Hat has patched two vulnerabilities related to the “libuser” library, which could be exploited by a local attacker to escalate privileges to root.

The libuser library provides an interface for manipulating and managing user and group accounts. The package is installed by default in Red Hat Enterprise Linux (RHEL) and other Linux distributions derived from the Red Hat codebase.

The vulnerabilities were discovered and reported by researchers at security firm Qualys, who published a proof-of-concept (PoC) on Thursday to show how the flaws can be exploited.

The first security hole, which Red Hat has classified as having “important” impact, is a race condition vulnerability (CVE-2015-3246). The issue is related to the fact that libuser modifies the /etc/passwd file directly, unlike other programs (e.g. passwd, chfn, chsh) which work on a temporary copy of file that is later renamed. If something goes wrong when changes are made to the file, libuser could leave /etc/passwd in an inconsistent state, which can lead to a denial-of-service (DoS) condition.

The second vulnerability, rated “moderate,” affects the userhelper utility, which provides a basic interface for changing a user’s password, GECOS information, and shell.

The bug is caused by the fact that the chfn function in userhelper does not properly filter out newline characters (CVE-2015-3245).

“The chfn function implemented by the userhelper utility verified that the fields it was given on the command line were valid (that is, contain no forbidden characters),” Red Hat explained in its advisory. “Unfortunately, these forbidden characters (:,=) did not include the \n character and allowed local attackers to inject newline characters into the /etc/passwd file and alter this file in unexpected ways.”

Just like CVE-2015-3246, this vulnerability can be exploited for DoS attacks. However, an attacker can combine CVE-2015-3245 and CVE-2015-3246 to achieve local privilege escalation to the root user.

Red Hat noted that while the userhelper utility is part of the usermode package, the vulnerability has been addressed with an update to the libuser library. The flaw has been patched by ensuring that libuser forbids the \n character.

“userhelper depends on libuser to modify /etc/passwd, and libuser’s format_generic() and generic_setpass() functions reject fields containing a ‘:’ that would be interpreted as a field separator. [CVE-2015-3245] could have been prevented if libuser had also rejected ‘\n’ characters,” Qualys explained in its own advisory.

The vulnerabilities affect all versions of the libuser library included in RHEL 6 and 7. Users are advised to install the updated libuser packages.

Debian has also published advisories for CVE-2015-3245 and CVE-2015-3246, but patches are not available.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.