Vulnerability Details : CVE-2017-9232
Public exploit exists!
Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root.
Vulnerability category: Gain privilege
Products affected by CVE-2017-9232
- cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta9:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta10:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta17:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta18:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta8:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta15:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta16:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.1.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta13:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta14:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.1.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.1.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta11:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:beta12:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:canonical:juju:2.0.0:rc2:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-9232
22.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2017-9232
-
Juju-run Agent Privilege Escalation
Disclosure Date: 2017-04-13First seen: 2020-04-26exploit/linux/local/juju_run_agent_priv_escThis module attempts to gain root privileges on Juju agent systems running the juju-run agent utility. Juju agent systems running agent tools prior to version 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3, provide a UNIX domain socket to manage softwar
CVSS scores for CVE-2017-9232
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-9232
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-9232
-
https://www.exploit-db.com/exploits/44023/
Juju-run Agent - Privilege Escalation (Metasploit)
-
http://www.securityfocus.com/bid/98737
Juju CVE-2017-8849 Local Privilege Escalation VulnerabilityThird Party Advisory;VDB Entry
-
https://bugs.launchpad.net/juju/+bug/1682411
Bug #1682411 “juju-run unit root escalation vulnerability” : Bugs : jujuExploit;Issue Tracking;Third Party Advisory
Jump to