CVE-2018-16588 in Linux Enterprise
Summary
by MITRE
Privilege escalation can occur in the SUSE useradd.c code in useradd, as distributed in the SUSE shadow package through 4.2.1-27.9.1 for SUSE Linux Enterprise 12 (SLE-12) and through 4.5-5.39 for SUSE Linux Enterprise 15 (SLE-15). Non-existing intermediate directories are created with mode 0777 during user creation. Given that they are world-writable, local attackers might use this for privilege escalation and other unspecified attacks. NOTE: this would affect non-SUSE users who took useradd.c code from a 2014-04-02 upstream pull request; however, no non-SUSE distribution is known to be affected.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2020
The vulnerability described in CVE-2018-16588 represents a critical privilege escalation flaw within the SUSE shadow package's useradd.c implementation, specifically affecting SUSE Linux Enterprise 12 and 15 distributions. This issue stems from improper directory creation permissions during user account provisioning, creating a fundamental security weakness that can be exploited by local attackers to gain elevated system privileges. The flaw manifests when the useradd utility attempts to create intermediate directories for new user accounts, failing to properly set restrictive permissions on these directories.
The technical root cause involves the creation of non-existing intermediate directories with overly permissive mode 0777, which grants read, write, and execute permissions to all users on the system. This permission setting violates the principle of least privilege and creates a persistent security vulnerability that can be leveraged by malicious local users. When the useradd utility processes user creation requests, it recursively creates directory structures to accommodate the new user's home directory and associated files, but fails to enforce proper access controls on the intermediate directories. This behavior creates a window of opportunity for privilege escalation attacks as demonstrated by the ATT&CK framework's privilege escalation techniques.
The operational impact of this vulnerability extends beyond simple local privilege escalation, as it provides attackers with multiple attack vectors for system compromise. The world-writable nature of these intermediate directories allows attackers to modify or replace critical system files, inject malicious code, or manipulate system configurations to maintain persistent access. According to CWE-732, this vulnerability represents an incorrect permission assignment that directly enables unauthorized modifications of system resources. The flaw affects the integrity and confidentiality of the system by creating persistent backdoors and unauthorized access points that can be exploited by both malicious insiders and external attackers who have gained initial access to the system.
Security mitigations for this vulnerability should focus on immediate remediation through package updates from SUSE, ensuring that the shadow package is updated to versions that properly implement restrictive directory permissions during user account creation. System administrators should also implement monitoring for unauthorized directory modifications and consider implementing additional controls such as mandatory access controls or file integrity monitoring solutions. The fix typically involves modifying the useradd.c code to ensure that intermediate directories are created with appropriate permissions, typically restricting access to the owning user and group only. Organizations should also review their privilege escalation policies and implement proper user account management procedures to minimize the attack surface. This vulnerability highlights the importance of proper permission management in system utilities and demonstrates how seemingly minor implementation flaws can result in significant security implications. The ATT&CK framework categorizes this as a privilege escalation technique using "Modify System Software" where attackers leverage system utilities with insecure default configurations to gain elevated privileges.