A vulnerability was found in Supportutils up to 3.1-5.7.0. It has been classified as critical. This affects an unknown code block of the component RPM Verification. The manipulation with an unknown input leads to a command injection vulnerability. CWE is classifying the issue as CWE-77. The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

If supportutils before version 3.1-5.7.1 is run with -v to perform rpm verification and the attacker manages to manipulate the rpm listing (e.g. with CVE-2018-19638) he can execute arbitrary commands as root.

The bug was discovered 03/15/2019. The weakness was published 03/05/2019 as Bug 1118462 as confirmed bug report (Bugzilla). The advisory is shared at bugzilla.suse.com. This vulnerability is uniquely identified as CVE-2018-19639 since 11/28/2018. An attack has to be approached locally. The requirement for exploitation is a authentication. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1202 for this issue.

The commercial vulnerability scanner Qualys is able to test this issue with plugin 172133 (OpenSUSE Security Update for supportutils (openSUSE-SU-2019:0293-1)).

Upgrading to version 3.1-5.7.1 eliminates this vulnerability.

Similar entries are available at VDB-131323, VDB-131324 and VDB-131326.

Productinfo

Name

• Supportutils

Version

• 3.1-5.0
• 3.1-5.1
• 3.1-5.2
• 3.1-5.3
• 3.1-5.4
• 3.1-5.5
• 3.1-5.6
• 3.1-5.7

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion