CVE-2017-8900 in LightDM
Summary
by MITRE
LightDM through 1.22.0, when systemd is used in Ubuntu 16.10 and 17.x, allows physically proximate attackers to bypass intended AppArmor restrictions and visit the home directories of arbitrary users by establishing a guest session.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/06/2022
The vulnerability identified as CVE-2017-8900 represents a critical security flaw in the LightDM display manager that affects versions through 1.22.0 when deployed on Ubuntu 16.10 and 17.x systems utilizing systemd. This weakness specifically exploits the interaction between LightDM's session management and AppArmor's security policies, creating a pathway for attackers to circumvent intended access controls. The vulnerability is particularly concerning because it requires only physical proximity to the target system, making it accessible to attackers who can physically access the machine without requiring network connectivity or remote exploitation capabilities.
The technical root cause of this vulnerability stems from how LightDM handles guest session creation when systemd is employed as the system initialization framework. When a guest session is established, the display manager fails to properly enforce AppArmor restrictions that would normally prevent access to other users' home directories. This flaw occurs during the session initialization process where LightDM does not correctly apply the security policies that should limit guest users to their own restricted environment. The vulnerability manifests as a privilege escalation path where an attacker can traverse filesystem boundaries that should be protected by AppArmor's mandatory access controls, effectively allowing unauthorized access to arbitrary user home directories.
From an operational perspective, this vulnerability significantly impacts system security posture by undermining the fundamental principle of least privilege that should protect user data. Attackers can exploit this flaw to access sensitive information stored in other users' home directories, including personal documents, configuration files, and potentially authentication credentials or private keys. The attack vector requires only physical proximity, which makes it particularly dangerous in environments where systems may be left unattended or where unauthorized physical access is possible. This vulnerability essentially transforms a controlled session environment into a potential data exfiltration point, where guest sessions can become entry points for broader system compromise.
The security implications extend beyond simple file access, as this vulnerability can serve as a stepping stone for more sophisticated attacks. An attacker who gains access to another user's home directory can potentially discover additional system vulnerabilities, extract authentication tokens, or locate sensitive configuration files that may reveal system architecture details. This aligns with ATT&CK technique T1078.004 which covers valid accounts and T1003.008 for credential dumping, as the compromised session can be leveraged for further reconnaissance and privilege escalation. The vulnerability also relates to CWE-284 which describes improper access control, specifically in the context of session management and privilege boundaries within display managers.
Organizations should implement immediate mitigations including updating to LightDM versions that address this vulnerability, typically those beyond 1.22.0, and ensuring proper AppArmor policy enforcement is maintained. System administrators should also consider implementing additional physical security measures such as secure workstations, proper locking mechanisms, and monitoring for unauthorized access attempts. The fix typically involves proper enforcement of AppArmor profiles during guest session creation and ensuring that session management components correctly apply security policies. Additionally, organizations should conduct security audits to verify that all display managers and session handling components are properly configured to maintain user isolation between different session types.