3.7 - VU#312692

Executive Summary

Summary
Title	Shadow Utils useradd utility sets incorrect file permissions

Informations
Name	VU#312692	First vendor Publication	2007-12-14
Vendor	VU-CERT	Last vendor Modification	2007-12-14
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:H/Au:N/C:P/I:P/A:P)
Cvss Base Score	3.7	Attack Range	Local
Cvss Impact Score	6.4	Attack Complexity	High
Cvss Expoit Score	1.9	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#312692

Shadow Utils useradd utility sets incorrect file permissions

Overview

The Shadow Utilities contain a vulnerability that may result in new user mailboxes having arbitrary permissions.

I. Description

The Shadow Utilities provide tools to manage user accounts.

When a new mailbox is created using the useradd utility, the open() function does not receive the expected arguments while O_CREAT is present. The result of this error is that random permissions are applied to the new mailbox.

II. Impact

A local, unprivileged attacker may be able to gain access to newly created mailbox files.

III. Solution

Affected vendors have released updates to address this issue. Users are encouraged to see the Systems Affected portion of this document for a partial list of affected vendors.

Systems Affected

Vendor	Status	Date Updated
Apple Computer, Inc.	Not Vulnerable	23-May-2006
Cisco Systems, Inc.	Unknown	12-May-2006
Conectiva Inc.	Unknown	17-May-2006
Cray Inc.	Unknown	17-May-2006
Debian GNU/Linux	Unknown	17-May-2006
EMC, Inc. (formerly Data General Corporation)	Unknown	17-May-2006
Engarde Secure Linux	Unknown	17-May-2006
F5 Networks, Inc.	Not Vulnerable	22-May-2006
Fedora Project	Unknown	17-May-2006
FreeBSD, Inc.	Unknown	17-May-2006
Fujitsu	Unknown	17-May-2006
Gentoo Linux	Vulnerable	14-Dec-2007
Hewlett-Packard Company	Unknown	17-May-2006
Hitachi	Unknown	17-May-2006
IBM Corporation	Unknown	17-May-2006
IBM Corporation (zseries)	Unknown	17-May-2006
IBM eServer	Unknown	17-May-2006
Immunix Communications, Inc.	Unknown	17-May-2006
Ingrian Networks, Inc.	Unknown	17-May-2006
Juniper Networks, Inc.	Unknown	17-May-2006
Mandriva, Inc.	Unknown	17-May-2006
Microsoft Corporation	Unknown	17-May-2006
MontaVista Software, Inc.	Unknown	17-May-2006
NEC Corporation	Unknown	17-May-2006
NetBSD	Unknown	17-May-2006
Nokia	Unknown	17-May-2006
Novell, Inc.	Unknown	17-May-2006
OpenBSD	Unknown	17-May-2006
Openwall GNU/*/Linux	Not Vulnerable	17-May-2006
QNX, Software Systems, Inc.	Unknown	17-May-2006
Red Hat, Inc.	Unknown	12-May-2006
Silicon Graphics, Inc.	Unknown	17-May-2006
Slackware Linux Inc.	Unknown	17-May-2006
Sony Corporation	Unknown	17-May-2006
Sun Microsystems, Inc.	Unknown	17-May-2006
SUSE Linux	Unknown	17-May-2006
Trustix Secure Linux	Unknown	17-May-2006
Turbolinux	Unknown	17-May-2006
Ubuntu	Unknown	17-May-2006
Unisys	Unknown	17-May-2006
Wind River Systems, Inc.	Unknown	17-May-2006

References

http://linux.die.net/man/8/useradd
http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s1-users-tools.html
http://www.gentoo.org/security/en/glsa/glsa-200606-02.xml
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/shadow-utils/shadow-4.0.4.1-owl-create-mailbox.diff?rev=HEAD
http://www.securityfocus.com/archive/1/archive/1/468336/100/0/threaded
https://www.securecoding.cert.org/confluence/x/VQBc

Credit

This document was written by Jeff Gennari.

Other Information

Date Public	05/31/2006
Date First Published	12/14/2007 09:33:38 AM
Date Last Updated	12/14/2007
CERT Advisory
CVE Name	CVE-2006-1174
Metric	0.23
Document Revision	27

Original Source

Url : http://www.kb.cert.org/vuls/id/312692

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-264	Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10807

Oval ID:	oval:org.mitre.oval:def:10807
Title:	useradd in shadow-utils before 4.0.3, and possibly other versions before 4.0.8, does not provide a required argument to the open function when creating a new user mailbox, which causes the mailbox to be created with unpredictable permissions and possibly allows attackers to read or modify the mailbox.
Description:	useradd in shadow-utils before 4.0.3, and possibly other versions before 4.0.8, does not provide a required argument to the open function when creating a new user mailbox, which causes the mailbox to be created with unpredictable permissions and possibly allows attackers to read or modify the mailbox.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2006-1174	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4	Product(s):
Definition Synopsis:
OS Section: RHEL3, CentOS3 RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND shadow-utils is earlier than 2:4.0.3-29.RHEL3 OR OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND shadow-utils is earlier than 2:4.0.3-61.RHEL4

CPE : Common Platform Enumeration

Type	Description	Count
Application	Debian Shadow cpe:2.3:a:debian:shadow:4.0.6:::::::* cpe:2.3:a:debian:shadow:4.0.5:::::::* cpe:2.3:a:debian:shadow:4.0.4.1:::::::* cpe:2.3:a:debian:shadow:4.0.4:::::::* cpe:2.3:a:debian:shadow:4.0.2:::::::* cpe:2.3:a:debian:shadow:4.0.1:::::::* cpe:2.3:a:debian:shadow:4.0.0:::::::* cpe:2.3:a:debian:shadow:1:4.1.4:::::::* cpe:2.3:a:debian:shadow:::::::: cpe:2.3:a:debian:shadow:-:::::::*	10

OpenVAS Exploits

Date	Description
2008-09-24	Name : Gentoo Security Advisory GLSA 200606-02 (shadow) File : nvt/glsa_200606_02.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
25848	Shadow useradd.c Mailbox Permission Weakness

Nessus® Vulnerability Scanner

Date	Description
2013-07-12	Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2007-0276.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2007-0431.nasl - Type : ACT_GATHER_INFO
2013-06-29	Name : The remote CentOS host is missing a security update. File : centos_RHSA-2007-0276.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing a security update. File : sl_20070501_shadow_utils_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing a security update. File : sl_20070611_shadow_utils_on_SL3.nasl - Type : ACT_GATHER_INFO
2009-07-27	Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2007-0006.nasl - Type : ACT_GATHER_INFO
2007-06-14	Name : The remote CentOS host is missing a security update. File : centos_RHSA-2007-0431.nasl - Type : ACT_GATHER_INFO
2007-06-12	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2007-0431.nasl - Type : ACT_GATHER_INFO
2007-05-02	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2007-0276.nasl - Type : ACT_GATHER_INFO
2006-06-08	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200606-02.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	1
CPE ID(s)	10
osvdb(s)	1
Openvas Exploit(s)	1
Nessus® Exploit(s)	10

	Related
3.7	CVE-2006-1174
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)