CVE-2018-10852 — LOW (3.8) — White Hats Nepal

Q: How severe is CVE-2018-10852?

CVE-2018-10852 has been rated LOW with a CVSS base score of 3.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-10852?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Fedoraproject Sssd, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Workstation.

Vulnerability Description

The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD has too wide permissions, which means that anyone who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user. This affects versions of SSSD before 1.16.3.

CVSS Score

3.8

LOW

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	8.0
Fedoraproject	Sssd	< 1.16.3
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Workstation	7.0

Related Weaknesses (CWE)

CWE-200

References

http://www.securityfocus.com/bid/104547Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:3158Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10852Issue TrackingThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00019.htmlMailing ListThird Party Advisory
http://www.securityfocus.com/bid/104547Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:3158Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10852Issue TrackingThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00019.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2018-10852?

CVE-2018-10852 is a vulnerability with a CVSS score of 3.8 (LOW). The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD has too wide permissions, which means that anyone who can send a message using the same raw protocol that sudo...

How severe is CVE-2018-10852?

CVE-2018-10852 has been rated LOW with a CVSS base score of 3.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-10852?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Fedoraproject Sssd, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Workstation.