cbcvebase.
CVE-2018-10900
published 2018-07-26

CVE-2018-10900: Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to…

PriorityP258high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
5.06%
91.2th percentile
Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiannetwork-manager-vpnc< network-manager-vpnc 1.2.6-1 (bookworm)network-manager-vpnc 1.2.6-1 (bookworm)
gnomenetwork_manager_vpnc< 1.2.61.2.6

Detection & IOCsextracted from sources · hover to see the quote

commandnmcli connection up <vpn_connection_name>
  • Monitor VPN connection configurations (e.g., via nmcli or NetworkManager config files) for newline characters ('\n') embedded within the 'Xauth username' field, which is the injection vector used to smuggle a 'Password helper' directive.
  • Detect processes spawned by NetworkManager as root that originate from world-writable directories such as /tmp, which is the default payload drop location used by the exploit.
  • Check for the presence of nmcli on the system as a prerequisite indicator; the exploit aborts if nmcli is not installed.
  • Monitor NetworkManager-vpnc versions prior to 1.2.6 (e.g., 1.2.4-4 on Debian 9, 1.1.93-1 on Ubuntu 16.04) as confirmed vulnerable targets.
  • ·The exploit requires an existing low-privileged shell or meterpreter session on the target; it is a local privilege escalation, not a remote exploit.
  • ·The injected 'Password helper' binary path is written to a writable directory (default /tmp) and must be executable; detections should account for the payload being dropped under a hidden (dot-prefixed) random filename.
  • ·The exploit cleans up the VPN connection after execution; forensic artifacts (the nmcli-created VPN connection and the payload file) may be removed, requiring volatile/memory-based detection.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.