CVE Vulnerabilities

CVE-2019-18276

Improper Check for Dropped Privileges

Published: Nov 28, 2019 | Modified: Jun 07, 2022
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.2 HIGH
AV:L/AC:L/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
7.8 LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ubuntu

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support saved UID functionality, the saved UID is not dropped. An attacker with command execution in the shell can use enable -f for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

Weakness

The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

Affected Software

Name Vendor Start Version End Version
Bash Gnu * 5.0
Bash Gnu 5.0 5.0
Bash Gnu 5.0 5.0
Bash Gnu 5.0 5.0
Bash Gnu 5.0 5.0
Bash Gnu 5.0 5.0
Bash Gnu 5.0 5.0
Bash Gnu 5.0 5.0
Bash Gnu 5.0 5.0
Bash Gnu 5.0 5.0
Bash Gnu 5.0 5.0
Bash Gnu 5.0 5.0
Bash Gnu 5.0 5.0
Bash Gnu 5.0 5.0
Bash Gnu 5.0 5.0
Red Hat Enterprise Linux 8 RedHat bash-0:4.4.19-14.el8 *
Bash Ubuntu bionic *
Bash Ubuntu disco *
Bash Ubuntu eoan *
Bash Ubuntu esm-infra/xenial *
Bash Ubuntu focal *
Bash Ubuntu groovy *
Bash Ubuntu precise/esm *
Bash Ubuntu trusty *
Bash Ubuntu trusty/esm *
Bash Ubuntu upstream *
Bash Ubuntu xenial *

Potential Mitigations

  • Compartmentalize the system to have “safe” areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

References