Red Hat patched two vulnerabilities related to the “libuser” library, which a local attacker could leverage to escalate to root privileges.
The libuser library provides an interface for manipulating and managing user and group accounts. The package is a default installation in Red Hat Enterprise Linux (RHEL) and other Linux distributions derived from the Red Hat codebase.
The vulnerabilities ended up discovered by researchers at security firm Qualys, who published a proof-of-concept (PoC) to show how the flaws can end up exploited.
The first security hole, which Red Hat has classified in an advisory as having “important” impact, is a race condition vulnerability (CVE-2015-3246). The issue is related to the idea libuser modifies the /etc/passwd file directly, unlike other programs (e.g. passwd, chfn, chsh) which work on a temporary copy of file later renamed. If something goes wrong with changes to the file, libuser could leave /etc/passwd in an inconsistent state, which can lead to a denial-of-service (DoS) condition.
The second vulnerability, rated “moderate,” affects the userhelper utility, which provides a basic interface for changing a user’s password, GECOS information, and shell.
The bug comes from the chfn function in userhelper, which does not properly filter out newline characters (CVE-2015-3245).
“The chfn function implemented by the userhelper utility verified that the fields it was given on the command line were valid (that is, contain no forbidden characters),” Red Hat said in its advisory. “Unfortunately, these forbidden characters (:,=) did not include the \n character and allowed local attackers to inject newline characters into the /etc/passwd file and alter this file in unexpected ways.”
Just like CVE-2015-3246, this vulnerability can end up leveraged for DoS attacks. However, an attacker can combine CVE-2015-3245 and CVE-2015-3246 to achieve local privilege escalation to the root user.
Red Hat noted while the userhelper utility is part of the usermode package, the vulnerability ended up addressed with an update to the libuser library. The flaw ended up patched by ensuring libuser forbids the \n character.
The vulnerabilities affect all versions of the libuser library included in RHEL 6 and 7. Users should install the updated libuser packages.