CVE-2016-4446 : The allow_execstack plugin for setroubleshoot allows local users to execute arbi

The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function.

Published 2017-04-11 18:59:00

Updated 2017-04-17 13:29:18

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2016-4446

Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Hpc Node » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
Matching versions
Setroubleshoot Project » Setroubleshoot
Versions up to, including, (<=) -
cpe:2.3:a:setroubleshoot_project:setroubleshoot:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-4446

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 19 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-4446

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.9	MEDIUM	AV:L/AC:M/Au:N/C:C/I:C/A:C	3.4	10.0	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.0	HIGH	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.0	5.9	NIST
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-4446

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-4446

https://github.com/fedora-selinux/setroubleshoot/commit/eaccf4c0d20a27d3df5ff6de8c9dcc80f6f40718

plugins: Use subprocess.check_output() with a sequence of program arg… · fedora-selinux/setroubleshoot@eaccf4c · GitHub
Patch
https://bugzilla.redhat.com/show_bug.cgi?id=1339250

1339250 – (CVE-2016-4446) CVE-2016-4446 setroubleshoot-plugins: insecure commands.getoutput use in the allow_execstack plugin
Issue Tracking
https://access.redhat.com/errata/RHSA-2016:1293

RHSA-2016:1293 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1036144

SETroubleShoot allow_execmod Plugin Lets Local Users Obtain Root Privileges - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
https://rhn.redhat.com/errata/RHSA-2016-1267.html

RHSA-2016:1267 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/91427

setroubleshoot-plugins CVE-2016-4446 Local Arbitrary Code Execution Vulnerability
Third Party Advisory;VDB Entry
http://seclists.org/oss-sec/2016/q2/575

oss-sec: Re: SELinux troubles
Exploit;Mailing List;Patch;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-4446

Products affected by CVE-2016-4446

Exploit prediction scoring system (EPSS) score for CVE-2016-4446

CVSS scores for CVE-2016-4446

CWE ids for CVE-2016-4446

References for CVE-2016-4446