CVE-2015-7529

First published: Mon Nov 16 2015(Updated: )

A vulnerability in sosreport was reported, allowing a privilege escalation to unprivileged attacker on RHEL-6, and change the owner and content of certain files on RHEL-7. sosreport creates temporary directory in /tmp with predictable name sosreport-$hostname-$date with permissions set to 700. Then it creates a tar file with the aforementioned name + .tar suffix. Further it invokes open() with no O_NOFOLLOW nor O_EXCL set, which can be exploited by placing a file or a symlink in its place. Attacker can create his own file to steal the content or can create a symlink to create/modify arbitrary files. On RHEL-7, there is fs.protected_symlinks sysctl provided, which closes this vector. With the setting target of the symlink must match symlink's owner. On RHEL-6 this feature is missing, so the attacker is able to modify arbitrary files and escalate privileges.

Credit: secalert@redhat.com secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/author
• agent/type
• agent/first-publish-date
• collector/mitre-cve
• source/MITRE
• agent/remedy
• agent/weakness
• agent/severity
• agent/event
• agent/description
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2015-7529
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-3g56-2hh3-35ph
• agent/software-canonical-lookup
• agent/last-modified-date
• agent/references
• collector/github-advisory
• agent/trending
• agent/source
• agent/softwarecombine
• agent/tags
• collector/nvd-cve
• source/NVD
• agent/software-canonical-lookup-request
• collector/nvd-index
• package-manager/pip
• vendor/sos project
• canonical/sos project sos
• version/sos project sos/3.0
• version/sos project sos/3.8
• vendor/canonical
• canonical/ubuntu linux
• version/ubuntu linux/14.04
• version/ubuntu linux/15.04
• version/ubuntu linux/15.10
• vendor/redhat
• canonical/redhat enterprise linux desktop
• version/redhat enterprise linux desktop/6.0
• version/redhat enterprise linux desktop/7.0
• canonical/redhat enterprise linux server
• version/redhat enterprise linux server/6.0
• version/redhat enterprise linux server/7.0
• canonical/redhat enterprise linux server aus
• version/redhat enterprise linux server aus/7.2
• version/redhat enterprise linux server aus/7.3
• version/redhat enterprise linux server aus/7.4
• version/redhat enterprise linux server aus/7.6
• version/redhat enterprise linux server aus/7.7
• canonical/redhat enterprise linux server eus
• version/redhat enterprise linux server eus/6.7
• version/redhat enterprise linux server eus/7.2
• version/redhat enterprise linux server eus/7.3
• version/redhat enterprise linux server eus/7.4
• version/redhat enterprise linux server eus/7.5
• version/redhat enterprise linux server eus/7.6
• version/redhat enterprise linux server eus/7.7
• canonical/redhat enterprise linux server tus
• version/redhat enterprise linux server tus/7.2
• version/redhat enterprise linux server tus/7.3
• version/redhat enterprise linux server tus/7.6
• version/redhat enterprise linux server tus/7.7
• canonical/redhat enterprise linux workstation
• version/redhat enterprise linux workstation/6.0
• version/redhat enterprise linux workstation/7.0