CVE-2019-18276 — Vulnetix

Try Vulnetix Request Demo

CVE-2019-18276 PUBLISHED

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

EPSS 49.61% · 97.8th percentile

Risk Scores

EPSS Score

49.61%

97.8th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:18.04:LTS	bash	4.4.18-2ubuntu1.2, 0, 4.4-5ubuntu1
Ubuntu:Pro:16.04:LTS	bash	0, 4.3-14ubuntu1, 4.3-14ubuntu1.1
Ubuntu:Pro:14.04:LTS	bash	4.3-7ubuntu1.4, 4.3-7ubuntu1.5, 4.3-7ubuntu1.6
Ubuntu:20.04:LTS	bash	0, 5.0-4ubuntu1, 5.0-5ubuntu1

Timeline

Nov 28, 2019 CVE Published
Nov 29, 2019 PoC Published
Apr 14, 2021 EPSS Score
Aug 23, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Apr 20, 2022 EPSS Score
Jun 29, 2022 EPSS Score
Aug 31, 2022 EPSS Score
Jan 2, 2023 EPSS Score
Mar 7, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2019-18276 third-party-advisory
https://www.youtube.com/watch?v=-wGtxJ8opa8 third-party-advisory
https://ubuntu.com/security/notices/USN-5380-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2019-18276 third-party-advisory

Open in Interactive Console →