Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-18955 — Incorrect Authorization in Kernel

CWE-863 — Incorrect Authorization CWE-285 — Improper Authorization24 documents11 sources

Severity

7.0HIGHNVD

EPSS

9.6%

top 7.12%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Linux Kernel Debian Linux Canonical Ubuntu Linux

Timeline

PublishedNov 16

Latest updateMay 13

Description

In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namesp…

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages4 packages

▶NVDlinux/linux_kernel4.15 — 4.19.2

▶Debianlinux/linux_kernel< 4.18.20-1+3

▶Ubuntulinux/linux_kernel< 4.15.0-42.45

▶debiandebian/linux< linux 4.18.20-1 (bookworm)

Also affects: Ubuntu Linux 16.04, 18.04, 18.10

Patches

Patch: git.kernel.org ↗Patch: bugs.chromium.org ↗Patch: cdn.kernel.org ↗

🔴Vulnerability Details

GHSA

GHSA-c6xj-3c77-g5rg: In the Linux kernel 4↗2022-05-13

▶

OSV

linux-hwe, linux-gcp vulnerabilities↗2018-12-04

▶

OSV

linux, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities↗2018-12-03

▶

OSV

linux-aws vulnerabilities↗2018-11-30

▶

OSV

CVE-2018-18955: In the Linux kernel 4↗2018-11-16

▶

💥Exploits & PoCs

Exploit-DB

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method)↗2019-01-04

▶

Exploit-DB

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (dbus Method)↗2019-01-04

▶

Exploit-DB

Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)↗2018-11-29

▶

Exploit-DB

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (ldpreload Method)↗2018-11-21

▶

Exploit-DB

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (cron Method)↗2018-11-21

▶

📋Vendor Advisories

Ubuntu

Linux kernel (HWE) vulnerabilities↗2018-12-04

▶

Ubuntu

Linux kernel vulnerabilities↗2018-12-03

▶

Ubuntu

Linux kernel vulnerabilities↗2018-12-03

▶

Ubuntu

Linux kernel (AWS) vulnerabilities↗2018-11-30

▶

Ubuntu

Linux kernel (AWS) vulnerabilities↗2018-11-30

▶

📄Research Papers

arXiv

The Ideal Versus the Real: Revisiting the History of Virtual Machines and Containers↗2019-04-27

▶

💬Community

Bugzilla

CVE-2018-18955 kernel: Privilege escalation in map_write() in kernel/user_namespace.c [fedora-all]↗2018-11-22

▶

Bugzilla

CVE-2018-18955 kernel: Privilege escalation in map_write() in kernel/user_namespace.c↗2018-11-19

▶