CVE-2021-3864

Published: Aug 26, 2022Modified: Nov 21, 2024

7.0

Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.0 / Impact: 5.9

Source: NVD

Description

A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.

Affected (6)

Products: Linux: Linux Kernel · Debian: Debian Linux · Redhat: Enterprise Linux

1 product

1 product

1 product

Enterprise Linux

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Linux Linux Kernel	All versions

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 6.0
Redhat Enterprise Linux	Version 7.0
Redhat Enterprise Linux	Version 9.0

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (14)

https://access.redhat.com/security/cve/CVE-2021-3864

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2015046

Source: secalert@redhat.com

Issue TrackingPatchThird Party Advisory

https://lore.kernel.org/all/20211221021744.864115-1-longman%40redhat.com/

Source: secalert@redhat.com

https://lore.kernel.org/all/20211226150310.GA992%401wt.eu/

Source: secalert@redhat.com

https://lore.kernel.org/lkml/20211228170910.623156-1-wander%40redhat.com/

Source: secalert@redhat.com

https://security-tracker.debian.org/tracker/CVE-2021-3864

Source: secalert@redhat.com

Third Party Advisory

https://www.openwall.com/lists/oss-security/2021/10/20/2

Source: secalert@redhat.com

ExploitMailing ListThird Party Advisory

https://access.redhat.com/security/cve/CVE-2021-3864

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2015046

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://lore.kernel.org/all/20211221021744.864115-1-longman%40redhat.com/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lore.kernel.org/all/20211226150310.GA992%401wt.eu/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lore.kernel.org/lkml/20211228170910.623156-1-wander%40redhat.com/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security-tracker.debian.org/tracker/CVE-2021-3864

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.openwall.com/lists/oss-security/2021/10/20/2

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMailing ListThird Party Advisory

Timeline

No history available yet.