ID CVE-2018-1113
Summary setup before version 2.11.4-1.fc28 in Fedora and Red Hat Enterprise Linux added /sbin/nologin and /usr/sbin/nologin to /etc/shells. This violates security assumptions made by pam_shells and some daemons which allow access based on a user's shell being listed in /etc/shells. Under some circumstances, users which had their shell changed to /sbin/nologin could still access the system.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:setup:2.10.7:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:setup:2.10.7:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:setup:2.10.8:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:setup:2.10.8:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:setup:2.10.9:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:setup:2.10.9:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:setup:2.10.10:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:setup:2.10.10:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:setup:2.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:setup:2.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:setup:2.11.2:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:setup:2.11.2:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:setup:2.11.3:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:setup:2.11.3:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:-:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:-:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:-:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:-:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
CVSS
Base: 4.6 (as of 09-10-2019 - 23:38)
Impact:
Exploitability:
CWE CWE-732
CAPEC
  • Session Fixation
    The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.
  • Replace Binaries
    Adversaries know that certain binaries will be regularly executed as part of normal processing. If these binaries are not protected with the appropriate file system permissions, it could be possible to replace them with malware. This malware might be executed at higher system permission levels. A variation of this pattern is to discover self-extracting installation packages that unpack binaries to directories with weak file permissions which it does not clean up appropriately. These binaries can be replaced by malware, which can then be executed.
  • Cross Site Request Forgery
    An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.
  • Hijacking a privileged process
    An attacker gains control of a process that is assigned elevated privileges in order to execute arbitrary code with those privileges. Some processes are assigned elevated privileges on an operating system, usually through association with a particular user, group, or role. If an attacker can hijack this process, they will be able to assume its level of privilege in order to execute their own code. Processes can be hijacked through improper handling of user input (for example, a buffer overflow or certain types of injection attacks) or by utilizing system utilities that support process control that have been inadequately secured.
  • Using Malicious Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Exploiting Incorrectly Configured Access Control Security Levels
    An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. Most commonly, attackers would take advantage of controls that provided too little p