[email protected]CVE-2018-14665

HistoryOct 25, 2018 - 8:29 p.m.

CVE-2018-14665

2018-10-2520:29:00

CWE-863

[email protected]

web.nvd.nist.gov

196

xorg-x11-server

cve-2018-14665

permission check

privilege escalation

nvd

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

6.6 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.041 Low

EPSS

Percentile

92.2%

JSON

A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.

Affected configurations

NVD

Node

x.orgxorg-serverRange<1.20.3

Node

redhatenterprise_linux_desktopMatch7.0

redhatenterprise_linux_serverMatch7.0

redhatenterprise_linux_server_ausMatch7.6

redhatenterprise_linux_server_eusMatch7.6

redhatenterprise_linux_server_tusMatch7.6

redhatenterprise_linux_workstationMatch7.0

Node

canonicalubuntu_linuxMatch16.04lts

canonicalubuntu_linuxMatch18.04lts

canonicalubuntu_linuxMatch18.10

Node

debiandebian_linuxMatch9.0

CPENameOperatorVersion
x.org:xorg-serverx.org xorg-serverlt1.20.3

CPE	Name	Operator	Version
x.org:xorg-server	x.org xorg-server	lt	1.20.3

References

packetstormsecurity.com/files/154942/Xorg-X11-Server-SUID-modulepath-Privilege-Escalation.html

packetstormsecurity.com/files/155276/Xorg-X11-Server-Local-Privilege-Escalation.html

www.securityfocus.com/bid/105741

www.securitytracker.com/id/1041948

access.redhat.com/errata/RHSA-2018:3410

bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14665

gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e

gitlab.freedesktop.org/xorg/xserver/commit/8a59e3b7dbb30532a7c3769c555e00d7c4301170

lists.x.org/archives/xorg-announce/2018-October/002927.html

security.gentoo.org/glsa/201810-09

usn.ubuntu.com/3802-1/

www.debian.org/security/2018/dsa-4328

www.exploit-db.com/exploits/45697/

www.exploit-db.com/exploits/45742/

www.exploit-db.com/exploits/45832/

www.exploit-db.com/exploits/45908/

www.exploit-db.com/exploits/45922/

www.exploit-db.com/exploits/45938/

www.exploit-db.com/exploits/46142/

www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html

Social References

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

6.6 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.041 Low

EPSS

Percentile

92.2%

JSON

CVE-2018-14665

Affected configurations

References

Social References

Related