CVE-2023-29383 - OpenCVE

In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Shadow Project	Shadow

Configuration 1 [-]

cpe:2.3:a:shadow_project:shadow:4.13:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
https://github.com/shadow-maint/shadow/pull/687
https://nvd.nist.gov/vuln/detail/CVE-2023-29383
https://www.cve.org/CVERecord?id=CVE-2023-29383
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-04-14T00:00:00

Updated: 2024-08-02T14:07:45.784Z

Reserved: 2023-04-05T00:00:00

Link: CVE-2023-29383

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-04-14T22:15:07.680

Modified: 2023-04-24T18:05:30.313

Link: CVE-2023-29383

Redhat

Severity : Moderate

Publid Date: 2023-04-15T00:00:00Z

Links: CVE-2023-29383 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-29383", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T14:07:45.784Z", "dateReserved": "2023-04-05T00:00:00", "datePublished": "2023-04-14T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-04-14T00:00:00"}, "descriptions": [{"lang": "en", "value": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/shadow-maint/shadow/pull/687"}, {"url": "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d"}, {"url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797"}, {"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:07:45.784Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/shadow-maint/shadow/pull/687", "tags": ["x_transferred"]}, {"url": "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d", "tags": ["x_transferred"]}, {"url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797", "tags": ["x_transferred"]}, {"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shadow_project:shadow:4.13:*:*:*:*:*:*:*", "matchCriteriaId": "79B0C1D0-9CF5-451D-B3B3-750B64FD7575", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account."}], "id": "CVE-2023-29383", "lastModified": "2023-04-24T18:05:30.313", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-14T22:15:07.680", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://github.com/shadow-maint/shadow/pull/687"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "shadow: Improper input validation in shadow-utils package utility chfn", "id": "2187184", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2187184"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.", "A flaw was found in Shadow, where it is possible to inject control characters into fields provided to the SUID program change finger(chfn). Although it is not possible to exploit this directly (for example, adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Using \\r manipulations and Unicode characters to work around blocking the : character makes it possible to give the impression that a new user has been added. An adversary can convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account."], "name": "CVE-2023-29383", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "shadow-utils", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "shadow-utils", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "util-linux", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "shadow-utils", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "util-linux", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "shadow-utils", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "util-linux", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-04-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-29383\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-29383\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/\nhttps://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797"], "statement": "The chfn library is provided in Red Hat Enterprise Linux 7, 8, and 9 by util-linux package, and not by shadow-utils. Hence, the shadow-utils package is not vulnerable by this CVE.", "threat_severity": "Moderate"}