CVE-2020-8833 - OpenCVE

Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport allows for a possible privilege escalation opportunity. If fs.protected_symlinks is disabled, this can be exploited between the os.open and os.chown calls when the Apport cron script clears out crash files of size 0. A symlink with the same name as the deleted file can then be created upon which chown will be called, changing the file owner to root. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apport Project	Apport
Canonical	Ubuntu Linux

Configuration 1 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:19.10:::::::*

Configuration 2 [-]

cpe:2.3:a:apport_project:apport:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1862933
https://usn.ubuntu.com/4315-1/
https://usn.ubuntu.com/4315-2/

History

No history.

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2020-04-22T21:15:18.859159Z

Updated: 2024-09-16T20:53:27.660Z

Reserved: 2020-02-10T00:00:00

Link: CVE-2020-8833

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-04-22T22:15:12.577

Modified: 2022-10-07T15:14:27.967

Link: CVE-2020-8833

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apport", "vendor": "Canonical", "versions": [{"lessThan": "2.20.1-0ubuntu2.23", "status": "affected", "version": "2.20.1", "versionType": "custom"}, {"lessThan": "2.20.9-0ubuntu7.14", "status": "affected", "version": "2.20.9", "versionType": "custom"}, {"changes": [{"at": "2.20.11-0ubuntu22", "status": "unaffected"}], "lessThan": "2.20.11-0ubuntu8.8", "status": "affected", "version": "2.20.11", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Maximilien Bourgeteau"}], "datePublic": "2020-04-02T00:00:00", "descriptions": [{"lang": "en", "value": "Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport allows for a possible privilege escalation opportunity. If fs.protected_symlinks is disabled, this can be exploited between the os.open and os.chown calls when the Apport cron script clears out crash files of size 0. A symlink with the same name as the deleted file can then be created upon which chown will be called, changing the file owner to root. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-24T20:06:03", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://usn.ubuntu.com/4315-1/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1862933"}, {"name": "USN-4315-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4315-2/"}], "source": {"advisory": "https://usn.ubuntu.com/4315-1/", "defect": ["https://launchpad.net/bugs/1862933"], "discovery": "EXTERNAL"}, "title": "Apport race condition in crash report permissions", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2020-04-02T00:43:00.000Z", "ID": "CVE-2020-8833", "STATE": "PUBLIC", "TITLE": "Apport race condition in crash report permissions"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apport", "version": {"version_data": [{"platform": "", "version_affected": "<", "version_name": "2.20.1", "version_value": "2.20.1-0ubuntu2.23"}, {"platform": "", "version_affected": "<", "version_name": "2.20.9", "version_value": "2.20.9-0ubuntu7.14"}, {"platform": "", "version_affected": "<", "version_name": "2.20.11", "version_value": "2.20.11-0ubuntu8.8"}, {"platform": "", "version_affected": "<", "version_name": "2.20.11", "version_value": "2.20.11-0ubuntu22"}]}}]}, "vendor_name": "Canonical"}]}}, "configuration": [], "credit": [{"lang": "eng", "value": "Maximilien Bourgeteau"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport allows for a possible privilege escalation opportunity. If fs.protected_symlinks is disabled, this can be exploited between the os.open and os.chown calls when the Apport cron script clears out crash files of size 0. A symlink with the same name as the deleted file can then be created upon which chown will be called, changing the file owner to root. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}]}, "references": {"reference_data": [{"name": "https://usn.ubuntu.com/4315-1/", "refsource": "CONFIRM", "url": "https://usn.ubuntu.com/4315-1/"}, {"name": "https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1862933", "refsource": "CONFIRM", "url": "https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1862933"}, {"name": "USN-4315-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4315-2/"}]}, "solution": [], "source": {"advisory": "https://usn.ubuntu.com/4315-1/", "defect": ["https://launchpad.net/bugs/1862933"], "discovery": "EXTERNAL"}, "work_around": []}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:12:10.622Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://usn.ubuntu.com/4315-1/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1862933"}, {"name": "USN-4315-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4315-2/"}]}]}, "cveMetadata": {"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2020-8833", "datePublished": "2020-04-22T21:15:18.859159Z", "dateReserved": "2020-02-10T00:00:00", "dateUpdated": "2024-09-16T20:53:27.660Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apport_project:apport:-:*:*:*:*:*:*:*", "matchCriteriaId": "47363193-B4DB-4654-BFAC-373426212337", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport allows for a possible privilege escalation opportunity. If fs.protected_symlinks is disabled, this can be exploited between the os.open and os.chown calls when the Apport cron script clears out crash files of size 0. A symlink with the same name as the deleted file can then be created upon which chown will be called, changing the file owner to root. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22."}, {"lang": "es", "value": "Una vulnerabilidad de Condici\u00f3n de Carrera de tipo Time-of-check Time-of-use en el cambio de propiedad del reporte de bloqueo en Apport, permite una posible oportunidad de escalada de privilegios. Si fs.protected_symlinks est\u00e1 deshabilitado, esto puede ser explotado entre las llamadas de os.open y os.chown cuando el script cron de Apport borra los archivos bloqueados de tama\u00f1o 0. Un enlace simb\u00f3lico con el mismo nombre que el archivo eliminado puede entonces ser creado a partir de que chown ser\u00eda llamado, cambiando el propietario del archivo a root. Corregido en las versiones 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 y 2.20.11-0ubuntu22."}], "id": "CVE-2020-8833", "lastModified": "2022-10-07T15:14:27.967", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.1, "impactScore": 4.0, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2020-04-22T22:15:12.577", "references": [{"source": "security@ubuntu.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1862933"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4315-1/"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4315-2/"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-367"}], "source": "security@ubuntu.com", "type": "Secondary"}]}