This is the mail archive of the
mailing list for the Cygwin project.
CVE-2016-3067: network privilege escalation in Cygwin set(e)uid
- From: Yaakov Selkowitz <yselkowitz at cygwin dot com>
- To: cygwin-announce at cygwin dot com
- Date: Tue, 19 Apr 2016 14:37:10 -0500
- Subject: CVE-2016-3067: network privilege escalation in Cygwin set(e)uid
- Authentication-results: sourceware.org; auth=none
- Reply-to: The Cygwin Mailing List <cygwin at cygwin dot com>
In versions of Cygwin prior to 2.5.0, a process which switched user
contexts on a system where neither the Cygwin LSA module was enabled,
nor the user password stored thereon with 'passwd -R', would retain the
network credentials of the original user context even after switching.
In the case of system services, such as a user which logged into a
Cygwin SSHD or a command run from a cronjob, this would allow access to
networks shares to which the system service account (normally
'cyg_server', which is in the Administrators group) has access but to
which the user would otherwise be denied.
This issue was reported by David Willis on 2016-Feb-08 and a fix
committed to the upstream repository by Corinna Vinschen on
2016-Feb-18. The fix was first included in the 2.5.0-0.4 test release
on the same day and in the 2.5.0-1 stable release which shipped on
Red Hat Product Security has assigned CVE-2016-3067 for this issue.
 https://cygwin.com/ml/cygwin/2016-02/msg00129.html and thread