By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Notification
Latest News
OpenAI may use Associated Press archive for AI training
July 14, 2023
EU users can hold conversations with Google Bard from training set
July 14, 2023
Aptos, the new default font for Microsoft Office
July 14, 2023
BlackLotus UEFI bootkit sources published on GitHub
July 14, 2023
Hackers from the XDSpy cyber-espionage group attacked Russian organizations on behalf of the Ministry of Emergency Situations
July 14, 2023
Aa
  • News
  • Tutorials
  • Security InsiderComing Soon
  • Expert InsightComing Soon
Reading: Ubuntu fixes bugs allowing to elevate privileges to root
Share
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Aa
Search
  • News
  • Tutorials
  • Security InsiderComing Soon
  • Expert InsightComing Soon
Follow US
Security Parrot - Cyber Security News, Insights and Reviews > News > Ubuntu fixes bugs allowing to elevate privileges to root
ubuntu
News

Ubuntu fixes bugs allowing to elevate privileges to root

Last updated: 2020/11/15 at 4:23 PM
Jim Koohyar Biniyaz Published November 16, 2020
Share
ubuntu
SHARE

The Ubuntu desktop developers have released updates with a new package gdm3, which fixes a dangerous vulnerability in the GNOME window manager. In conjunction with one of two bugs of the AccountsService, also patched, it allows you to execute any code on the system as root. The exploitation of new vulnerabilities is only possible with physical access to the device and a valid account.

The GNOME software implements windowing functions on the computer screen and, among other things, is responsible for displaying the login screen. According to the bulletin , the CVE-2020-16125 vulnerability in GDM is caused by incorrect launching of the initial configuration program (gnome-initial-setup) when the AccountsService daemon is not available through DBus.

The window manager can initiate the start of the initial configuration if it does not find any accounts in the system. He asks for data on the presence of such, referring to accounts-daemon. If this process does not respond, GDM will assume that the accounts are missing and will run the gnome-initial-setup utility, through which a new account can be registered with superuser privileges.

The vulnerability is fixed in GNOME 3.28.3, 3.36.2, and 3.38.2. Corresponding updates are already available for Ubuntu versions 20.10, 20.04 and 18.04.

As it turns out, the CVE-2020-16125 issue can be exploited by forcibly terminating the accounts-daemon process. This daemon, running as root, has two bugs that make it easy to do this.

Vulnerability CVE-2020-16126 occurred due to incorrect privilege reset (ruid attribute) while processing some DBus calls; error CVE-2020-16127 occurs when processing custom .pam_environment files. Operation in both cases can cause accounts-daemon to crash or hang, leading to denial of service (DoS).

These issues affect Ubuntu 20.10, 20.04, 18.04, 16.04 and 14.04 (CVE-2020-16127 confirmed only in Ubuntu 20.04 LTS and Ubuntu 20.10) and have already been fixed.

Weekly Updates For Our Loyal Readers!

TAGGED: CVE-2020-16125, CVE-2020-16126, CVE-2020-16127, GNOME, root, Ubuntu, Ubuntu 20.04 LTS
Jim Koohyar Biniyaz November 16, 2020
Share this Article
Facebook Twitter Email Copy Link Print

Archives

  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • February 2023
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020

You Might Also Like

News

OpenAI may use Associated Press archive for AI training

July 14, 2023
News

EU users can hold conversations with Google Bard from training set

July 14, 2023
News

Aptos, the new default font for Microsoft Office

July 14, 2023
News

BlackLotus UEFI bootkit sources published on GitHub

July 14, 2023

© 2022 Parrot Media Network. All Rights Reserved.

  • Home
  • Parrot Media Group
  • Privacy Policy
  • Terms and Conditions
Join Us!

Subscribe to our newsletter and never miss our latest news, podcasts etc..

Zero spam, Unsubscribe at any time.

Removed from reading list

Undo
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?