Executive Summary

Summary
Title Apport vulnerabilities
Informations
Name USN-3480-1 First vendor Publication 2017-11-15
Vendor Ubuntu Last vendor Modification 2017-11-15
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10 - Ubuntu 17.04 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS

Summary:

Apport could be tricked into creating files as an administrator, resulting in denial of service or privilege escalation.

Software Description: - apport: automatically generate crash reports for debugging

Details:

Sander Bos discovered that Apport incorrectly handled core dumps for setuid binaries. A local attacker could use this issue to perform a denial of service via resource exhaustion or possibly gain root privileges. (CVE-2017-14177)

Sander Bos discovered that Apport incorrectly handled core dumps for processes in a different PID namespace. A local attacker could use this issue to perform a denial of service via resource exhaustion or possibly gain root privileges. (CVE-2017-14180)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 17.10:
apport 2.20.7-0ubuntu3.4

Ubuntu 17.04:
apport 2.20.4-0ubuntu4.7

Ubuntu 16.04 LTS:
apport 2.20.1-0ubuntu2.12

Ubuntu 14.04 LTS:
apport 2.14.1-0ubuntu3.27

In general, a standard system update will make all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3480-1
CVE-2017-14177, CVE-2017-14180

Package Information:
https://launchpad.net/ubuntu/+source/apport/2.20.7-0ubuntu3.4
https://launchpad.net/ubuntu/+source/apport/2.20.4-0ubuntu4.7
https://launchpad.net/ubuntu/+source/apport/2.20.1-0ubuntu2.12
https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.27

Original Source

Url : http://www.ubuntu.com/usn/USN-3480-1

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 22
Os 5

Nessus® Vulnerability Scanner

Date Description
2017-11-21 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-3480-2.nasl - Type : ACT_GATHER_INFO
2017-11-16 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-3480-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2018-02-15 17:21:49
  • Multiple Updates
2018-02-02 17:21:48
  • Multiple Updates
2017-11-22 13:23:46
  • Multiple Updates
2017-11-17 13:23:44
  • Multiple Updates
2017-11-15 21:24:22
  • First insertion