Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2017-9525

Published: 9 June 2017

In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs.

Notes

AuthorNote
jj
This appears to be mitigated by kernel symlink restrictions. The
crontabs dir has the sticky bit set
drwx-wx--T root crontab crontabs
which means symlinks within the dir must have the same uid as the
target.
It is still possible that a cron package update could trigger this race.
seth-arnold
I believe that actually _exploiting_ the bug requires
updating the cron package. So long as there's no updates for cron,
the vulnerable code doesn't run. So if we find a second bug in
cron then we really should fix the race condition at the same
time, but so long as we don't push a cron update, the vulnerable
code just plain doesn't run.
the patch just narrows the time window for the race condition.

Priority

Low

Cvss 3 Severity Score

6.7

Score breakdown

Status

Package Release Status
cron
Launchpad, Ubuntu, Debian
bionic
Released (3.0pl1-128.1ubuntu1.2)
xenial
Released (3.0pl1-128ubuntu2+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
artful Ignored
(end of life)
cosmic Ignored
(end of life)
disco Ignored
(end of life)
eoan Not vulnerable
(3.0pl1-134ubuntu1)
focal Not vulnerable
(3.0pl1-134ubuntu1)
groovy Not vulnerable
(3.0pl1-134ubuntu1)
hirsute Not vulnerable
(3.0pl1-134ubuntu1)
impish Not vulnerable
(3.0pl1-134ubuntu1)
jammy Not vulnerable
(3.0pl1-134ubuntu1)
kinetic Not vulnerable
(3.0pl1-134ubuntu1)
lunar Not vulnerable
(3.0pl1-134ubuntu1)
trusty Needed

upstream
Released (3.0pl1-129)
yakkety Ignored
(end of life)
zesty Ignored
(end of life)
mantic Not vulnerable
(3.0pl1-134ubuntu1)
Patches:
upstream: https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af
upstream: https://salsa.debian.org/debian/cron/-/commit/230478512cc82d879d727f6dfc18040bdd48c9d9

Severity score breakdown

Parameter Value
Base score 6.7
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H