CVE-2017-6590 in Linux
Summary
by MITRE
An issue was discovered in network-manager-applet (aka network-manager-gnome) in Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS, and 16.10. A local attacker could use this issue at the default Ubuntu login screen to access local files and execute arbitrary commands as the lightdm user. The exploitation requires physical access to the locked computer and the Wi-Fi must be turned on. An access point that lets you use a certificate to login is required as well, but it's easy to create one. Then, it's possible to open a nautilus window and browse directories. One also can open some applications such as Firefox, which is useful for downloading malicious binaries.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/06/2020
This vulnerability exists in the network-manager-applet component of Ubuntu's network management system, specifically affecting versions running Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS, and 16.10. The flaw represents a privilege escalation vulnerability that allows local attackers to gain elevated access to system resources through a carefully orchestrated attack vector. The vulnerability is particularly concerning because it operates at the default Ubuntu login screen where users typically expect heightened security measures to be in place, yet the flaw permits unauthorized access through specific environmental conditions.
The technical implementation of this vulnerability exploits the interaction between the network manager applet and the lightdm display manager, creating a path for privilege escalation when certain conditions are met. The attack requires physical access to a locked computer system, which aligns with a class of vulnerabilities categorized under local privilege escalation attacks. According to CWE guidelines, this represents a weakness in the security model where an attacker can bypass normal access controls to gain elevated privileges. The flaw specifically targets the authentication and authorization mechanisms of the desktop environment, allowing an attacker to execute arbitrary commands with the privileges of the lightdm user.
The operational impact of this vulnerability extends beyond simple file access, as it provides attackers with the ability to execute arbitrary code and potentially download malicious software. The attack methodology involves creating a rogue wireless access point that can authenticate users through certificate-based methods, which is technically feasible and commonly available. Once connected, the attacker can utilize nautilus file manager to browse system directories, effectively compromising the confidentiality of local files. The ability to launch applications such as Firefox creates additional attack surface where malicious binaries can be downloaded and executed, potentially leading to further compromise of the system or escalation to root privileges.
The attack vector demonstrates a critical flaw in the security assumptions of desktop environments, where the default login screen is expected to provide robust protection against unauthorized access. This vulnerability aligns with ATT&CK techniques related to privilege escalation and credential access, particularly through local exploitation methods. The requirement for physical access and Wi-Fi enabled makes this attack more situational but not impossible to execute in targeted environments where attackers have opportunity to position themselves near locked systems. The ease of creating a certificate-based access point means that this vulnerability can be exploited by attackers with minimal technical expertise, making it particularly dangerous in environments where physical security controls are insufficient. Organizations should consider implementing additional security measures such as disabling unnecessary network services at the login screen, enforcing stronger physical access controls, and ensuring timely patching of desktop environment components to prevent exploitation of such vulnerabilities.