Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2016-1255

Improper Link Resolution Before File Access ('Link Following')

Published: Dec 05, 2017 | Modified: Dec 21, 2017
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.2 HIGH
AV:L/AC:L/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2016-1255
CWEhttps://cwe.mitre.org/data/definitions/59.html

The pg_ctlcluster script in postgresql-common package in Debian wheezy before 134wheezy5, in Debian jessie before 165+deb8u2, in Debian unstable before 178, in Ubuntu 12.04 LTS before 129ubuntu1.2, in Ubuntu 14.04 LTS before 154ubuntu1.1, in Ubuntu 16.04 LTS before 173ubuntu0.1, in Ubuntu 17.04 before 179ubuntu0.1, and in Ubuntu 17.10 before 184ubuntu1.1 allows local users to gain root privileges via a symlink attack on a logfile in /var/log/postgresql.

Weakness

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Software

Name Vendor Start Version End Version
Postgresql-common Debian 1 (including) 1 (including)
Postgresql-common Debian 2 (including) 2 (including)
Postgresql-common Debian 3 (including) 3 (including)
Postgresql-common Debian 4 (including) 4 (including)
Postgresql-common Debian 5 (including) 5 (including)
Postgresql-common Debian 6 (including) 6 (including)
Postgresql-common Debian 7 (including) 7 (including)
Postgresql-common Debian 8 (including) 8 (including)
Postgresql-common Debian 9 (including) 9 (including)
Postgresql-common Debian 10 (including) 10 (including)
Postgresql-common Debian 11 (including) 11 (including)
Postgresql-common Debian 12 (including) 12 (including)
Postgresql-common Debian 13 (including) 13 (including)
Postgresql-common Debian 14 (including) 14 (including)
Postgresql-common Debian 15 (including) 15 (including)
Postgresql-common Debian 16 (including) 16 (including)
Postgresql-common Debian 17 (including) 17 (including)
Postgresql-common Debian 18 (including) 18 (including)
Postgresql-common Debian 19 (including) 19 (including)
Postgresql-common Debian 20 (including) 20 (including)
Postgresql-common Debian 21 (including) 21 (including)
Postgresql-common Debian 22 (including) 22 (including)
Postgresql-common Debian 23 (including) 23 (including)
Postgresql-common Debian 24 (including) 24 (including)
Postgresql-common Debian 25 (including) 25 (including)
Postgresql-common Debian 26 (including) 26 (including)
Postgresql-common Debian 27 (including) 27 (including)
Postgresql-common Debian 28 (including) 28 (including)
Postgresql-common Debian 29 (including) 29 (including)
Postgresql-common Debian 30 (including) 30 (including)
Postgresql-common Debian 31 (including) 31 (including)
Postgresql-common Debian 32 (including) 32 (including)
Postgresql-common Debian 33 (including) 33 (including)
Postgresql-common Debian 34 (including) 34 (including)
Postgresql-common Debian 35 (including) 35 (including)
Postgresql-common Debian 36 (including) 36 (including)
Postgresql-common Debian 37 (including) 37 (including)
Postgresql-common Debian 38 (including) 38 (including)
Postgresql-common Debian 39 (including) 39 (including)
Postgresql-common Debian 40 (including) 40 (including)
Postgresql-common Debian 41 (including) 41 (including)
Postgresql-common Debian 42 (including) 42 (including)
Postgresql-common Debian 43 (including) 43 (including)
Postgresql-common Debian 44 (including) 44 (including)
Postgresql-common Debian 45 (including) 45 (including)
Postgresql-common Debian 46 (including) 46 (including)
Postgresql-common Debian 47 (including) 47 (including)
Postgresql-common Debian 48 (including) 48 (including)
Postgresql-common Debian 49 (including) 49 (including)
Postgresql-common Debian 50 (including) 50 (including)
Postgresql-common Debian 51 (including) 51 (including)
Postgresql-common Debian 52 (including) 52 (including)
Postgresql-common Debian 53 (including) 53 (including)
Postgresql-common Debian 54 (including) 54 (including)
Postgresql-common Debian 55 (including) 55 (including)
Postgresql-common Debian 56 (including) 56 (including)
Postgresql-common Debian 57 (including) 57 (including)
Postgresql-common Debian 58 (including) 58 (including)
Postgresql-common Debian 59 (including) 59 (including)
Postgresql-common Debian 60 (including) 60 (including)
Postgresql-common Debian 61 (including) 61 (including)
Postgresql-common Debian 62 (including) 62 (including)
Postgresql-common Debian 63 (including) 63 (including)
Postgresql-common Debian 64 (including) 64 (including)
Postgresql-common Debian 65 (including) 65 (including)
Postgresql-common Debian 66 (including) 66 (including)
Postgresql-common Debian 67 (including) 67 (including)
Postgresql-common Debian 68 (including) 68 (including)
Postgresql-common Debian 69 (including) 69 (including)
Postgresql-common Debian 70 (including) 70 (including)
Postgresql-common Debian 71 (including) 71 (including)
Postgresql-common Debian 72 (including) 72 (including)
Postgresql-common Debian 73 (including) 73 (including)
Postgresql-common Debian 74 (including) 74 (including)
Postgresql-common Debian 75 (including) 75 (including)
Postgresql-common Debian 76 (including) 76 (including)
Postgresql-common Debian 77 (including) 77 (including)
Postgresql-common Debian 78 (including) 78 (including)
Postgresql-common Debian 79 (including) 79 (including)
Postgresql-common Debian 80 (including) 80 (including)
Postgresql-common Debian 81 (including) 81 (including)
Postgresql-common Debian 82 (including) 82 (including)
Postgresql-common Debian 83 (including) 83 (including)
Postgresql-common Debian 84 (including) 84 (including)
Postgresql-common Debian 85 (including) 85 (including)
Postgresql-common Debian 86 (including) 86 (including)
Postgresql-common Debian 87 (including) 87 (including)
Postgresql-common Debian 88 (including) 88 (including)
Postgresql-common Debian 89 (including) 89 (including)
Postgresql-common Debian 90 (including) 90 (including)
Postgresql-common Debian 91 (including) 91 (including)
Postgresql-common Debian 92 (including) 92 (including)
Postgresql-common Debian 93 (including) 93 (including)
Postgresql-common Debian 94 (including) 94 (including)
Postgresql-common Debian 95 (including) 95 (including)
Postgresql-common Debian 96 (including) 96 (including)
Postgresql-common Debian 97 (including) 97 (including)
Postgresql-common Debian 98 (including) 98 (including)
Postgresql-common Debian 99 (including) 99 (including)
Postgresql-common Debian 100 (including) 100 (including)
Postgresql-common Debian 101 (including) 101 (including)
Postgresql-common Debian 102 (including) 102 (including)
Postgresql-common Debian 103 (including) 103 (including)
Postgresql-common Debian 104 (including) 104 (including)
Postgresql-common Debian 105 (including) 105 (including)
Postgresql-common Debian 106 (including) 106 (including)
Postgresql-common Debian 107 (including) 107 (including)
Postgresql-common Debian 108 (including) 108 (including)
Postgresql-common Debian 109 (including) 109 (including)
Postgresql-common Debian 110 (including) 110 (including)
Postgresql-common Debian 111 (including) 111 (including)
Postgresql-common Debian 112 (including) 112 (including)
Postgresql-common Debian 113 (including) 113 (including)
Postgresql-common Debian 114 (including) 114 (including)
Postgresql-common Debian 115 (including) 115 (including)
Postgresql-common Debian 116 (including) 116 (including)
Postgresql-common Debian 117 (including) 117 (including)
Postgresql-common Debian 118 (including) 118 (including)
Postgresql-common Debian 119 (including) 119 (including)
Postgresql-common Debian 120 (including) 120 (including)
Postgresql-common Debian 121 (including) 121 (including)
Postgresql-common Debian 122 (including) 122 (including)
Postgresql-common Debian 123 (including) 123 (including)
Postgresql-common Debian 124 (including) 124 (including)
Postgresql-common Debian 125 (including) 125 (including)
Postgresql-common Debian 126 (including) 126 (including)
Postgresql-common Debian 127 (including) 127 (including)
Postgresql-common Debian 128 (including) 128 (including)
Postgresql-common Debian 129 (including) 129 (including)
Postgresql-common Debian 130 (including) 130 (including)
Postgresql-common Debian 131 (including) 131 (including)
Postgresql-common Debian 132 (including) 132 (including)
Postgresql-common Debian 133 (including) 133 (including)

Potential Mitigations

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use