CVE-2018-10900
published 2018-07-26CVE-2018-10900: Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to…
PriorityP258high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
5.06%
91.2th percentile
Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | network-manager-vpnc | < network-manager-vpnc 1.2.6-1 (bookworm) | network-manager-vpnc 1.2.6-1 (bookworm) |
| gnome | network_manager_vpnc | < 1.2.6 | 1.2.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor VPN connection configurations (e.g., via nmcli or NetworkManager config files) for newline characters ('\n') embedded within the 'Xauth username' field, which is the injection vector used to smuggle a 'Password helper' directive. ↗
- →Detect processes spawned by NetworkManager as root that originate from world-writable directories such as /tmp, which is the default payload drop location used by the exploit. ↗
- →Check for the presence of nmcli on the system as a prerequisite indicator; the exploit aborts if nmcli is not installed. ↗
- →Monitor NetworkManager-vpnc versions prior to 1.2.6 (e.g., 1.2.4-4 on Debian 9, 1.1.93-1 on Ubuntu 16.04) as confirmed vulnerable targets. ↗
- ·The exploit requires an existing low-privileged shell or meterpreter session on the target; it is a local privilege escalation, not a remote exploit. ↗
- ·The injected 'Password helper' binary path is written to a writable directory (default /tmp) and must be executable; detections should account for the payload being dropped under a hidden (dot-prefixed) random filename. ↗
- ·The exploit cleans up the VPN connection after execution; forensic artifacts (the nmcli-created VPN connection and the payload file) may be removed, requiring volatile/memory-based detection. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6cmp-3578-qc4p: Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1
ghsa_unreviewed·2022-05-13
CVE-2018-10900 [HIGH] CWE-78 GHSA-6cmp-3578-qc4p: Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1
Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.
OSV
CVE-2018-10900: Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1
osv·2018-07-26·CVSS 7.8
CVE-2018-10900 [HIGH] CVE-2018-10900: Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1
Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.
Debian
CVE-2018-10900: network-manager-vpnc - Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vu...
vendor_debian·2018·CVSS 7.8
CVE-2018-10900 [HIGH] CVE-2018-10900: network-manager-vpnc - Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vu...
Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.
Scope: local
bookworm: resolved (fixed in 1.2.6-1)
bullseye: resolved (fixed in 1.2.6-1)
forky: resolved (fixed in 1.2.6-1)
sid: resolved (fixed in 1.2.6-1)
trixie: resolved (fixed in 1.2.6-1)
No detection rules found.
Exploit-DB
Network Manager VPNC 1.2.6 - 'Username' Local Privilege Escalation (Metasploit)
exploitdb·2018-08-31·CVSS 7.8
CVE-2018-10900 [HIGH] Network Manager VPNC 1.2.6 - 'Username' Local Privilege Escalation (Metasploit)
Network Manager VPNC 1.2.6 - 'Username' Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Network Manager VPNC Username Privilege Escalation',
'Description' => %q{
This module exploits an injection vulnerability in the Network Manager
VPNC plugin to gain root privileges.
This module uses a new line injection vulnerability in the configured
username for a VPN network connection to inject a `Password helper`
configuration directive into the connection configuration.
The specified helper is executed by Network Manager as root when the
connection is started.
Network Manager VPNC versions prior to 1.2.6 are vulnerable.
This module has
Metasploit
Network Manager VPNC Username Privilege Escalation
metasploit
Network Manager VPNC Username Privilege Escalation
Network Manager VPNC Username Privilege Escalation
This module exploits an injection vulnerability in the Network Manager VPNC plugin to gain root privileges. This module uses a new line injection vulnerability in the configured username for a VPN network connection to inject a `Password helper` configuration directive into the connection configuration. The specified helper is executed by Network Manager as root when the connection is started. Network Manager VPNC versions prior to 1.2.6 are vulnerable. This module has been tested successfully with VPNC versions: 1.2.4-4 on Debian 9.0.0 (x64); and 1.1.93-1 on Ubuntu Linux 16.04.4 (x64).
Bugzilla
CVE-2018-10900 NetworkManager-vpnc: privilege escalation allows to execute arbitrary commands as root [epel-all]
bugzilla·2018-07-20·CVSS 7.8
CVE-2018-10900 [HIGH] CVE-2018-10900 NetworkManager-vpnc: privilege escalation allows to execute arbitrary commands as root [epel-all]
CVE-2018-10900 NetworkManager-vpnc: privilege escalation allows to execute arbitrary commands as root [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue af
Bugzilla
CVE-2018-10900 NetworkManager-vpnc: privilege escalation allows to execute arbitrary commands as root [fedora-all]
bugzilla·2018-07-20·CVSS 7.8
CVE-2018-10900 [HIGH] CVE-2018-10900 NetworkManager-vpnc: privilege escalation allows to execute arbitrary commands as root [fedora-all]
CVE-2018-10900 NetworkManager-vpnc: privilege escalation allows to execute arbitrary commands as root [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issu
Bugzilla
CVE-2018-10900 NetworkManager-vpnc: privilege escalation allows to execute arbitrary commands as root
bugzilla·2018-07-20·CVSS 7.8
CVE-2018-10900 [HIGH] CVE-2018-10900 NetworkManager-vpnc: privilege escalation allows to execute arbitrary commands as root
CVE-2018-10900 NetworkManager-vpnc: privilege escalation allows to execute arbitrary commands as root
The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.
References:
https://bugzilla.novell.com/show_bug.cgi?id=1101147
https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.news
Patch:
https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4
Discussion:
Created NetworkManager-vpnc tracking bugs for this issue:
Affects: epel-all [bug 1605922]
Affects: fedora-all [bug 1605921]
---
NetworkManager-vpnc-1.2.6-1.el7 has been pushed to the Fedora E
Dfir Report
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
blogs_dfir_report·2023-12-18
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
https://bugzilla.novell.com/show_bug.cgi?id=1101147https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10900https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.newshttps://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4https://lists.debian.org/debian-lts-announce/2018/07/msg00048.htmlhttps://pulsesecurity.co.nz/advisories/NM-VPNC-Priveschttps://security.gentoo.org/glsa/201808-03https://www.debian.org/security/2018/dsa-4253https://www.exploit-db.com/exploits/45313/https://bugzilla.novell.com/show_bug.cgi?id=1101147https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10900https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.newshttps://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4https://lists.debian.org/debian-lts-announce/2018/07/msg00048.htmlhttps://pulsesecurity.co.nz/advisories/NM-VPNC-Priveschttps://security.gentoo.org/glsa/201808-03https://www.debian.org/security/2018/dsa-4253https://www.exploit-db.com/exploits/45313/
2018-07-26
Published