CVE-2018-1113 in setup
Summary
by MITRE
setup before version 2.11.4-1.fc28 in Fedora and Red Hat Enterprise Linux added /sbin/nologin and /usr/sbin/nologin to /etc/shells. This violates security assumptions made by pam_shells and some daemons which allow access based on a user's shell being listed in /etc/shells. Under some circumstances, users which had their shell changed to /sbin/nologin could still access the system.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/29/2023
The vulnerability described in CVE-2018-1113 represents a critical security flaw in the setup package configuration for Fedora and Red Hat Enterprise Linux systems. This issue emerged from an improper modification to the /etc/shells file, where the setup utility included entries for /sbin/nologin and /usr/sbin/nologin in the list of valid shells. The fundamental problem lies in the security assumptions that underpin Unix-like system authentication mechanisms, particularly the pam_shells module and various system daemons that rely on shell validation for access control. According to CWE-264, this vulnerability stems from inadequate privileges or improper access control mechanisms, specifically the violation of the principle of least privilege in shell assignment.
The technical flaw manifests in how the pam_shells module operates within the Pluggable Authentication Modules framework, which is a core component of the Linux-PAM security architecture. When a user's shell is set to /sbin/nologin, the system should prevent that user from accessing the system through normal login mechanisms. However, due to the inclusion of these nologin paths in /etc/shells, certain authentication systems bypassed their intended security checks. The ATT&CK framework categorizes this as a privilege escalation technique, specifically under T1068 - Exploitation for Privilege Escalation, as it allows unauthorized access through misconfigured authentication controls. This flaw demonstrates how seemingly innocuous system configuration changes can create unexpected security vulnerabilities by undermining the trust model of authentication systems.
The operational impact of this vulnerability extends beyond simple access control failures, creating potential pathways for unauthorized system access and privilege escalation. Users whose shells were incorrectly configured to point to nologin paths could bypass authentication mechanisms that rely on shell validation, effectively allowing them to log into systems even when they should be denied access. This creates a dangerous scenario where system administrators believe they have properly restricted user access through shell assignment, while the underlying configuration actually provides a backdoor for system compromise. The vulnerability affects systems where the pam_shells module is actively enforcing shell restrictions, particularly in environments where SSH access and other network services depend on proper shell validation for user authentication.
Mitigation strategies for this vulnerability require immediate remediation through package updates that correct the setup package behavior, ensuring that nologin paths are not included in the /etc/shells file. System administrators should verify that their /etc/shells file contains only legitimate login shells such as /bin/bash, /bin/sh, /bin/zsh, and other authorized shell paths. The fix involves reverting the problematic changes made to the setup package and ensuring that system updates are properly applied to prevent future occurrences. Organizations should also conduct security audits of their authentication configurations and review all shell assignments to ensure compliance with security best practices. According to security standards such as those outlined in NIST SP 800-53, this vulnerability highlights the importance of proper access control configuration and the need for regular security assessments of authentication mechanisms to prevent unauthorized access through configuration errors.