A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.
References
Link | Resource |
---|---|
https://access.redhat.com/security/cve/CVE-2021-3864 | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2015046 | Issue Tracking Patch Third Party Advisory |
https://lore.kernel.org/all/20211221021744.864115-1-longman%40redhat.com/ | |
https://lore.kernel.org/all/20211226150310.GA992%401wt.eu/ | |
https://lore.kernel.org/lkml/20211228170910.623156-1-wander%40redhat.com/ | |
https://security-tracker.debian.org/tracker/CVE-2021-3864 | Third Party Advisory |
https://www.openwall.com/lists/oss-security/2021/10/20/2 | Exploit Mailing List Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
01 Sep 2022, 15:56
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://lore.kernel.org/all/20211226150310.GA992@1wt.eu/ - Mailing List, Patch, Vendor Advisory | |
References | (MISC) https://security-tracker.debian.org/tracker/CVE-2021-3864 - Third Party Advisory | |
References | (MISC) https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com/ - Mailing List, Patch, Vendor Advisory | |
References | (MISC) https://access.redhat.com/security/cve/CVE-2021-3864 - Third Party Advisory | |
References | (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2015046 - Issue Tracking, Patch, Third Party Advisory | |
References | (MISC) https://lore.kernel.org/all/20211221021744.864115-1-longman@redhat.com/ - Mailing List, Patch, Vendor Advisory | |
References | (MISC) https://www.openwall.com/lists/oss-security/2021/10/20/2 - Exploit, Mailing List, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.0 |
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
CWE | NVD-CWE-noinfo |
26 Aug 2022, 17:17
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-08-26 16:15
Updated : 2024-02-04 22:51
NVD link : CVE-2021-3864
Mitre link : CVE-2021-3864
CVE.ORG link : CVE-2021-3864
JSON object : View
Products Affected
redhat
- enterprise_linux
debian
- debian_linux
linux
- linux_kernel
CWE