CVE-2018-14051 Insecure default file permissions, allowing local attackers with read access to a directory to gain root privileges. SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707.

CVE-2018-14052 Incorrect file permissions, allowing local attackers with access to a directory to gain root privileges. SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707.

CVE

References to receive more information about this update

CVE-2018-14051 Insecure default file permissions, allowing local attackers with read access to a directory to gain root privileges. SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707.

CVE-2018-14052 Incorrect file permissions, allowing local attackers with access to a directory to gain root privileges. SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707

Product details

CVE-2018-14055 Incorrect file permissions, allowing local attackers with access to a directory to gain root privileges. SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707.

Vulnerability
CVE-2018-14053 Incorrect file permissions, allowing local attackers with access to a directory to gain root privileges. SUSE Linux Enterprise Desktop 12 SP5, openSUSE Leap 15.3 ,openSUSE Leap 15.4 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SLE Desktop 12 SP5 and SLES for SAP Applications 7 SP1

How to address the risk

SUSE recommends reviewing the permissions on all directories and files in your home directory.

- Do not execute setgid programs as root when running as a user in group setgid
- Review file permissions on all directories and files to ensure they are restrictive

HOW TO DIFF THESE TWO VULNERABILITY TYPES

An important part of any security program is the ability to quickly fix vulnerabilities and minimize the impact of those vulnerabilities.

CVE-2018-14051: openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707
CVE-2022-31252 : SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707

Timeline

Published on: 10/06/2022 18:16:00 UTC
Last modified on: 11/07/2022 20:20:00 UTC

References