#VU36755 Improper Verification of Cryptographic Signature in libzypp - CVE-2018-7685

Cybersecurity Help s.r.o.

Published: 2018-08-31 | Updated: 2020-08-08

Vulnerability identifier: #VU36755

Vulnerability risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-7685

CWE-ID: CWE-347

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
libzypp
Operating systems & Components / Operating system package or component

Vendor: SUSE

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow installation, a problem caused by malicious warnings only displayed during download.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libzypp: 17.0.0 - 17.4.0

External links
https://lists.suse.com/pipermail/sle-security-updates/2018-August/004510.html
https://bugzilla.suse.com/show_bug.cgi?id=1091624
https://www.suse.com/de-de/security/cve/CVE-2018-7685/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for libzypp, zypper

Fedora 27 update for libzypp, zypper

Improper Verification of Cryptographic Signature in SuSE libzypp