CVE-2019-13272 · threatengine.sh

Home/CVE/Linux Kernel Improper Privilege Management Vulnerability

CVE

CVE-2019-13272

Linux Kernel Improper Privilege Management Vulnerability

In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME.

NOTE: SELinux deny_ptrace might be a usable workaround in some environments.

HIGH · CVSS 7.8 ⚠ CISA KEV EPSS 0.80379

Act now

Listed on CISA KEV (known exploited in the wild)
SSVC exploitation status: active
EPSS ≥ 0.50 - high probability of exploitation in the next 30 days
EPSS percentile: top 1% of all CVEs by exploitation likelihood
Public exploit or PoC is available
CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

⬢

Required Remediation

Apply updates per vendor instructions.

▤

Affected Products & Versions

29

linux kernel>= 3.16.52 and < 3.16.71
linux kernel>= 4.1.39 and < 4.2
linux kernel>= 4.4.40 and < 4.4.185
linux kernel>= 4.8.16 and < 4.9
linux kernel>= 4.9.1 and < 4.9.185
linux kernel>= 4.10 and < 4.14.133
linux kernel>= 4.15 and < 4.19.58
linux kernel>= 4.20 and < 5.1.17
Show all 29 affected productsdebian linuxall versions
fedoraproject fedoraall versions
canonical ubuntu linuxall versions
redhat enterprise linuxall versions
redhat enterprise linux for arm 64all versions
redhat enterprise linux for ibm z systemsall versions
redhat enterprise linux for real timeall versions
redhat enterprise linux for real time for nfvall versions
redhat enterprise linux for real time for nfv tusall versions
redhat enterprise linux for real time tusall versions
netapp aff a700s firmwareall versions
netapp h410c firmwareall versions
netapp h610s firmwareall versions
netapp active iq unified managerall versions
netapp e-series performance analyzerall versions
netapp e-series santricity os controller>= 11.0.0 and <= 11.60.3
netapp hci management nodeall versions
netapp service processorall versions
netapp solidfireall versions
netapp steelstore cloud integrated storageall versions
netapp hci compute nodeall versions

⚠

Public Exploits & PoCs

11

localLinux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)2021-11-23
localLinux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit)verified
localLinux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation2019-07-24
localLinux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEMEverified
pocpacketstormsecurity.com · Linux-PTRACE_TRACEME-Broken-Permission-Object-Lifetime-Ha...packetstormsecurity.com
pocpacketstormsecurity.com · Slackware-Security-Advisory-Slackware-14.2-kernel-Updates...packetstormsecurity.com
pocpacketstormsecurity.com · Kernel-Live-Patch-Security-Notice-LSN-0054-1.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · Linux-Polkit-pkexec-Helper-PTRACE_TRACEME-Local-Root.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · Linux-PTRACE_TRACEME-Local-Root.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · Linux-Kernel-5.1.x-PTRACE_TRACEME-pkexec-Local-Privilege-...packetstormsecurity.com
pocbugs.chromium.org · detail?id=1903bugs.chromium.org

▣

Scoring & Timeline

7.8

HIGH · CVSS v3.1 · cve@mitre.org

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD17 Jul 2019 · 01:15 PM

CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC triage · cisa-vulnrichment

Exploitation

active

Automatable

no

Technical impact

total

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

⚑

Vendor Advisories

26

cisaKEV-CVE-2019-13272
suse-csafSUSE-SU-2019:3246-1
suse-csafSUSE-SU-2019:3247-1
suse-csafSUSE-SU-2019:3248-1
suse-csafSUSE-SU-2019:3249-1
Show all 26 vendor advisoriessuse-csafSUSE-SU-2019:3252-1
suse-csafSUSE-SU-2019:3258-1
suse-csafSUSE-SU-2019:3260-1
suse-csafSUSE-SU-2019:3261-1
suse-csafSUSE-SU-2019:3263-1
suse-csafSUSE-SU-2019:3223-1
suse-csafSUSE-SU-2019:3224-1
suse-csafSUSE-SU-2019:3225-1
suse-csafSUSE-SU-2019:3228-1
suse-csafSUSE-SU-2019:3230-1
suse-csafSUSE-SU-2019:3232-1
suse-csafSUSE-SU-2019:2984-1
suse-csafSUSE-SU-2019:2949-1
usnUSN-4118-1
usnUSN-4117-1
usnUSN-4095-1
usnUSN-4094-1
usnUSN-4093-1
rhsaRHSA-2019:2411Moderate
rhsaRHSA-2019:2405Moderate
rhsaRHSA-2019:2809Important

🔗

References & Sources

20

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://bugzilla.redhat.com/show_bug.cgi?id=1730895Issue TrackingPatch

https://bugzilla.suse.com/show_bug.cgi?id=1140671Issue TrackingPatchThird Party Advisory

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.17PatchVendor Advisory

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6994eefb0053799d2e07cd140df6c2ea106c41eePatchVendor Advisory

https://github.com/torvalds/linux/commit/6994eefb0053799d2e07cd140df6c2ea106c41eePatch

https://lists.debian.org/debian-lts-announce/2019/07/msg00022.htmlMailing ListThird Party Advisory

Show all 20 references

https://lists.debian.org/debian-lts-announce/2019/07/msg00023.htmlMailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGRK5LYWBJ4E4SRI4DKX367NHYSI3VOH/Release Notes

https://seclists.org/bugtraq/2019/Jul/30Issue TrackingMailing ListThird Party Advisory

https://seclists.org/bugtraq/2019/Jul/33Issue TrackingMailing ListThird Party Advisory

https://security.netapp.com/advisory/ntap-20190806-0001/Third Party Advisory

https://support.f5.com/csp/article/K91025336Third Party Advisory

https://support.f5.com/csp/article/K91025336?utm_source=f5support&ampThird Party Advisory

https://usn.ubuntu.com/4093-1/Third Party Advisory

https://usn.ubuntu.com/4094-1/Third Party Advisory

https://usn.ubuntu.com/4095-1/Third Party Advisory

https://usn.ubuntu.com/4117-1/Third Party Advisory

https://usn.ubuntu.com/4118-1/Third Party Advisory

https://www.debian.org/security/2019/dsa-4484Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-13272US Government Resource

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin