CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Red Hat Patches “libuser” Library Vulnerabilities

Red Hat has patched two vulnerabilities related to the “libuser” library, which could be exploited by a local attacker to escalate privileges to root.

Red Hat has patched two vulnerabilities related to the “libuser” library, which could be exploited by a local attacker to escalate privileges to root.

The libuser library provides an interface for manipulating and managing user and group accounts. The package is installed by default in Red Hat Enterprise Linux (RHEL) and other Linux distributions derived from the Red Hat codebase.

The vulnerabilities were discovered and reported by researchers at security firm Qualys, who published a proof-of-concept (PoC) on Thursday to show how the flaws can be exploited.

The first security hole, which Red Hat has classified as having “important” impact, is a race condition vulnerability (CVE-2015-3246). The issue is related to the fact that libuser modifies the /etc/passwd file directly, unlike other programs (e.g. passwd, chfn, chsh) which work on a temporary copy of file that is later renamed. If something goes wrong when changes are made to the file, libuser could leave /etc/passwd in an inconsistent state, which can lead to a denial-of-service (DoS) condition.

The second vulnerability, rated “moderate,” affects the userhelper utility, which provides a basic interface for changing a user’s password, GECOS information, and shell.

The bug is caused by the fact that the chfn function in userhelper does not properly filter out newline characters (CVE-2015-3245).

“The chfn function implemented by the userhelper utility verified that the fields it was given on the command line were valid (that is, contain no forbidden characters),” Red Hat explained in its advisory. “Unfortunately, these forbidden characters (:,=) did not include the \n character and allowed local attackers to inject newline characters into the /etc/passwd file and alter this file in unexpected ways.”

Just like CVE-2015-3246, this vulnerability can be exploited for DoS attacks. However, an attacker can combine CVE-2015-3245 and CVE-2015-3246 to achieve local privilege escalation to the root user.

Advertisement. Scroll to continue reading.

Red Hat noted that while the userhelper utility is part of the usermode package, the vulnerability has been addressed with an update to the libuser library. The flaw has been patched by ensuring that libuser forbids the \n character.

“userhelper depends on libuser to modify /etc/passwd, and libuser’s format_generic() and generic_setpass() functions reject fields containing a ‘:’ that would be interpreted as a field separator. [CVE-2015-3245] could have been prevented if libuser had also rejected ‘\n’ characters,” Qualys explained in its own advisory.

The vulnerabilities affect all versions of the libuser library included in RHEL 6 and 7. Users are advised to install the updated libuser packages.

Debian has also published advisories for CVE-2015-3245 and CVE-2015-3246, but patches are not available.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.