#VU5366 Privilege escalation in systemd - CVE-2016-10156

Cybersecurity Help s.r.o.

Published: 2017-01-24 | Updated: 2018-09-14

Vulnerability identifier: #VU5366

Vulnerability risk: Medium

CVSSv4.0: 7.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2016-10156

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: Yes

Vulnerable software:
systemd
Server applications / Other server solutions

Vendor: Freedesktop.org

Description
The vulnerability allows a local user to obtain root privileges.

The vulnerability exists within the touch_file() function in "/src/basic/fs-util.c". A local user can use systemd timer functions to create world writable set user id (suid) files, owned by root user, and gain root privileges on vulnerable system.

Successful exploitation of the vulnerability may allow a local user to gain root privileges on vulnerable system.

Mitigation
The vulnerability was fixed in version v229.

Vulnerable software versions

systemd: 228

External links
https://bugzilla.suse.com/show_bug.cgi?id=1020601
https://github.com/systemd/systemd/commit/06eeacb6fe029804f296b065b3ce91e796e1cd0e
https://github.com/systemd/systemd/commit/ee735086f8670be1591fa9593e80dd60163a7a2f

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

OpenSUSE Linux update for systemd

SUSE Linux update for systemd

Privilege escalation in systemd