CVE-2018-14051 Insecure default file permissions, allowing local attackers with read access to a directory to gain root privileges. SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707.
CVE-2018-14052 Incorrect file permissions, allowing local attackers with access to a directory to gain root privileges. SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707.
CVE
References to receive more information about this update
CVE-2018-14051 Insecure default file permissions, allowing local attackers with read access to a directory to gain root privileges. SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707.
CVE-2018-14052 Incorrect file permissions, allowing local attackers with access to a directory to gain root privileges. SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707
Product details
CVE-2018-14055 Incorrect file permissions, allowing local attackers with access to a directory to gain root privileges. SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707.
Vulnerability
CVE-2018-14053 Incorrect file permissions, allowing local attackers with access to a directory to gain root privileges. SUSE Linux Enterprise Desktop 12 SP5, openSUSE Leap 15.3 ,openSUSE Leap 15.4 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SLE Desktop 12 SP5 and SLES for SAP Applications 7 SP1
How to address the risk
SUSE recommends reviewing the permissions on all directories and files in your home directory.
- Do not execute setgid programs as root when running as a user in group setgid
- Review file permissions on all directories and files to ensure they are restrictive
HOW TO DIFF THESE TWO VULNERABILITY TYPES
An important part of any security program is the ability to quickly fix vulnerabilities and minimize the impact of those vulnerabilities.
CVE-2018-14051: openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not enforce the restrictive behavior of setgid programs when executed by users in group setgid, allowing local attackers to gain root privileges by setting group privileges on a directory that is accessible to the group. This issue affects: SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707
CVE-2022-31252 : SUSE Linux Enterprise Server 12-SP5, openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 permissions versions prior to 20170707
Timeline
Published on: 10/06/2022 18:16:00 UTC
Last modified on: 11/07/2022 20:20:00 UTC