CVE-2018-14665 — MEDIUM (6.6)

Q: How severe is CVE-2018-14665?

CVE-2018-14665 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-14665?

Check the references section above for vendor advisories and patch information. Affected products include: X.Org X Server, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Aus, Redhat Enterprise Linux Server Eus.

Vulnerability Description

A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.

CVSS Score

6.6

MEDIUM

CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
X.Org	X Server	< 1.20.3
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Server Aus	7.6
Redhat	Enterprise Linux Server Eus	7.6
Redhat	Enterprise Linux Server Tus	7.6
Redhat	Enterprise Linux Workstation	7.0
Canonical	Ubuntu Linux	16.04
Debian	Debian Linux	9.0

Related Weaknesses (CWE)

CWE-863

References

http://packetstormsecurity.com/files/154942/Xorg-X11-Server-SUID-modulepath-Priv
http://packetstormsecurity.com/files/155276/Xorg-X11-Server-Local-Privilege-Esca
http://www.securityfocus.com/bid/105741Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1041948Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:3410Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14665Issue TrackingPatchThird Party Advisory
https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1PatchThird Party Advisory
https://gitlab.freedesktop.org/xorg/xserver/commit/8a59e3b7dbb30532a7c3769c555e0PatchThird Party Advisory
https://lists.x.org/archives/xorg-announce/2018-October/002927.htmlMitigationPatchVendor Advisory
https://security.gentoo.org/glsa/201810-09Third Party Advisory
https://usn.ubuntu.com/3802-1/Third Party Advisory
https://www.debian.org/security/2018/dsa-4328Third Party Advisory
https://www.exploit-db.com/exploits/45697/ExploitThird Party AdvisoryVDB Entry
https://www.exploit-db.com/exploits/45742/ExploitThird Party AdvisoryVDB Entry
https://www.exploit-db.com/exploits/45832/ExploitThird Party AdvisoryVDB Entry

FAQ

What is CVE-2018-14665?

CVE-2018-14665 is a vulnerability with a CVSS score of 6.6 (MEDIUM). A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in ...

How severe is CVE-2018-14665?

CVE-2018-14665 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-14665?

Check the references section above for vendor advisories and patch information. Affected products include: X.Org X Server, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Aus, Redhat Enterprise Linux Server Eus.