A vulnerability, which was classified as critical, was found in Supportutils up to 3.1-5.7.0. Affected is some unknown functionality of the component Command Line. The manipulation with an unknown input leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Supportutils, before version 3.1-5.7.1, when run with command line argument -A searched the file system for a ndspath binary. If an attacker provides one at an arbitrary location it is executed with root privileges

The bug was discovered 03/15/2019. The weakness was disclosed 03/05/2019 as Bug 1117751 as confirmed bug report (Bugzilla). The advisory is available at bugzilla.suse.com. This vulnerability is traded as CVE-2018-19636 since 11/28/2018. Local access is required to approach this attack. A authentication is required for exploitation. The technical details are unknown and an exploit is not available.

The commercial vulnerability scanner Qualys is able to test this issue with plugin 172150 (SUSE Enterprise Linux Security Update for supportutils (SUSE-SU-2019:13976-1)).

Upgrading to version 3.1-5.7.1 eliminates this vulnerability.

The entries VDB-131326, VDB-131325, VDB-131324 and VDB-131323 are pretty similar.

Productinfo

Name

• Supportutils

Version

• 3.1-5.0
• 3.1-5.1
• 3.1-5.2
• 3.1-5.3
• 3.1-5.4
• 3.1-5.5
• 3.1-5.6
• 3.1-5.7

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion