CVE-2018-18955
Last modified
CVE-2018-18955 is a vulnerability of currently unknown severity. In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. EPSS estimates a 7.61% chance of exploitation in the next 30 days.
Description
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 4.15, < 4.19.2 |
| Canonical | Ubuntu Linux | 16.04 |
| Canonical | Ubuntu Linux | 18.04 |
| Canonical | Ubuntu Linux | 18.10 |
References
- http://www.securityfocus.com/bid/105941Third Party Advisory, VDB Entry
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1712Patch, Third Party Advisory
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.19Patch, Vendor Advisory
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2Patch, Vendor Advisory
- https://github.com/torvalds/linux/commit/d2f007dbe7e4c9583eea6eb04d60001e85c6f1bdPatch, Vendor Advisory
- https://usn.ubuntu.com/3832-1/Third Party Advisory
- https://usn.ubuntu.com/3833-1/Third Party Advisory
- https://usn.ubuntu.com/3835-1/Third Party Advisory
- https://usn.ubuntu.com/3836-1/Third Party Advisory
- https://usn.ubuntu.com/3836-2/Third Party Advisory
- https://www.exploit-db.com/exploits/45886/Exploit, Patch, Third Party Advisory, VDB Entry
- https://www.exploit-db.com/exploits/45915/Exploit, Third Party Advisory, VDB Entry
- http://www.securityfocus.com/bid/105941Third Party Advisory, VDB Entry
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1712Patch, Third Party Advisory
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.19Patch, Vendor Advisory
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2Patch, Vendor Advisory
- https://github.com/torvalds/linux/commit/d2f007dbe7e4c9583eea6eb04d60001e85c6f1bdPatch, Vendor Advisory
- https://usn.ubuntu.com/3832-1/Third Party Advisory
- https://usn.ubuntu.com/3833-1/Third Party Advisory
- https://usn.ubuntu.com/3835-1/Third Party Advisory
- https://usn.ubuntu.com/3836-1/Third Party Advisory
- https://usn.ubuntu.com/3836-2/Third Party Advisory
- https://www.exploit-db.com/exploits/45886/Exploit, Patch, Third Party Advisory, VDB Entry
- https://www.exploit-db.com/exploits/45915/Exploit, Third Party Advisory, VDB Entry
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-18955?
How severe is CVE-2018-18955?
How do I fix CVE-2018-18955?
Are you affected by CVE-2018-18955?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST