CVE-2022-0563 in util-linux
Summary
by MITRE • 02/21/2022
A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/09/2025
The vulnerability identified as CVE-2022-0563 resides within the util-linux chfn and chsh command-line utilities, which are fundamental components for managing user information and shell preferences on Unix-like systems. These utilities, when compiled with Readline library support, exhibit a critical security flaw that stems from improper error handling mechanisms. The Readline library, widely used for command-line editing capabilities, relies on the INPUTRC environment variable to locate its configuration file. This configuration file contains various settings that control the behavior of the Readline library during interactive sessions. The flaw manifests when the Readline library encounters a malformed configuration file that it cannot parse, causing it to output an error message that inadvertently includes data extracted from the problematic configuration file itself. This design oversight creates a significant information disclosure vulnerability that can be exploited by unprivileged users to access sensitive data that would normally be restricted to root privileges.
The technical nature of this vulnerability aligns with CWE-209, which describes "Information Exposure Through an Error Message," and represents a specific implementation of how error handling can introduce security weaknesses in system components. When an unprivileged user manipulates the INPUTRC environment variable to point to a root-owned configuration file, the Readline library's error message generation process exposes the contents of that file to the user who initiated the chfn or chsh command. This occurs because the library does not sanitize or filter the data from the configuration file before incorporating it into error messages, effectively creating a data leakage mechanism that bypasses normal access controls. The vulnerability is particularly concerning because it allows for privilege escalation by enabling attackers to read sensitive files that contain authentication credentials, system configuration details, or other confidential information that should remain restricted to privileged users.
The operational impact of CVE-2022-0563 extends beyond simple information disclosure to represent a potential path for privilege escalation within affected systems. Attackers who can control the INPUTRC environment variable can leverage this vulnerability to extract valuable information from root-owned files, potentially including password hashes, cryptographic keys, or system configuration parameters that could be used to further compromise the system. This vulnerability affects all util-linux versions prior to 2.37.4, meaning that organizations running older versions of this essential system utility are at risk of exploitation. The flaw is particularly dangerous in environments where multiple users share the same system and where the chfn and chsh utilities are frequently used, as it provides a consistent attack vector that does not require special privileges to exploit. The vulnerability also aligns with ATT&CK technique T1059.001, "Command and Scripting Interpreter: Shell Script," as it can be exploited through shell environments where the INPUTRC variable might be manipulated.
Mitigation of this vulnerability requires immediate patching of affected util-linux versions to 2.37.4 or later, which contains the necessary fixes to prevent the inclusion of sensitive data in error messages generated by the Readline library. System administrators should also implement additional security measures such as restricting the INPUTRC environment variable in user contexts where it might be manipulated, implementing proper file permissions on configuration files, and monitoring for unusual usage patterns of the chfn and chsh utilities. Organizations should conduct thorough vulnerability assessments to identify systems running affected versions and prioritize patching based on risk assessment. The fix implemented in util-linux 2.37.4 addresses the root cause by ensuring that error messages generated by the Readline library do not include potentially sensitive data extracted from configuration files, thereby preventing the information disclosure that enabled the privilege escalation vector. Security monitoring should also be enhanced to detect potential exploitation attempts through manipulation of the INPUTRC environment variable, particularly in environments where these utilities are frequently accessed by unprivileged users.