cbcvebase.
CVE-2015-1815
published 2015-03-30

CVE-2015-1815: The get_rpm_nvr_by_file_path_temporary function in util.py in setroubleshoot before 3.2.22 allows remote attackers to execute arbitrary commands via shell…

PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
16.45%
96.6th percentile
The get_rpm_nvr_by_file_path_temporary function in util.py in setroubleshoot before 3.2.22 allows remote attackers to execute arbitrary commands via shell metacharacters in a file name.

Affected

2 ranges
VendorProductVersion rangeFixed in
fedoraprojectfedora
selinuxsetroubleshoot<= 3.2.21

Detection & IOCsextracted from sources · hover to see the quote

path/tmp/foo.pem';`id|logger`;echo '
commandrpm -qf '%s'
commandid|logger
pathutil.py
urlhttps://github.com/stealth/troubleshooter
  • Monitor for shell metacharacters (single quotes, backticks, semicolons) appearing in filenames passed to setroubleshootd, particularly in SELinux AVC denial reports. The vulnerable sink is `commands.getstatusoutput("rpm -qf '%s'" % name)` in util.py, which passes attacker-controlled filenames to `sh -c`.
  • Watch journalctl/syslog for unexpected `logger` output showing uid=0(root) context of `setroubleshootd_t`, which is the indicator used in the PoC to confirm successful exploitation.
  • Detect exploitation attempts via NetworkManager/openvpn plugin: look for nmcli commands adding VPN connections of type openvpn with CA certificate paths containing shell metacharacters (single quotes, backticks).
  • Flag any process spawned by setroubleshootd (running in setroubleshootd_t SELinux domain) that is not `rpm`. Legitimate behaviour is only `rpm -qf <path>`; any other child process indicates command injection.
  • Remote attack surface exists wherever attackers can influence filenames visible to SELinux AVC reports (web uploads, git, scp, ftp). Monitor for AVC denials referencing filenames with shell metacharacters in those directories.
  • ·The vulnerability only affects setroubleshoot versions before 3.2.22. Systems running setroubleshoot >= 3.2.22 (or patched 3.2.17-2 on Fedora 20) are not vulnerable, as the fix replaces `commands.getstatusoutput` with `subprocess.check_output` (no shell) and normalises paths with `os.path.abspath()`.
  • ·Systems running in SELinux permissive mode are fully exposed (effective root), whereas enforcing mode limits the attacker to the setroubleshootd_t domain's allowed rules and transitions — though this domain has significant privileges.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.