CVE-2023-40303: 
NixOS Schwachstellenanalyse und -minderung

GNU inetutils before version 2.5 contains a privilege escalation vulnerability (CVE-2023-40303) due to unchecked return values of set*id() family functions in multiple components including ftpd, rcp, rlogin, rsh, rshd, and uucpd. The vulnerability was discovered in July 2023 and affects systems where these components are installed (GNU Bug Report, NVD).

The vulnerability stems from the failure to verify return values from privilege-dropping functions such as setuid(), setgid(), seteuid(), and setguid() in multiple components. This oversight is particularly relevant when a process attempts to drop privileges before allowing an ordinary user to control its activities. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements but high potential impact (NVD).

The vulnerability could lead to privilege escalation, potentially allowing attackers to execute code with elevated privileges. In the case of rshd, if the daemon runs as root, privilege escalation is possible as any user logging in after a set*id() failure would have their session started as root. For rlogin, local privilege escalation is possible as the binary is setUID root, and for uucpd, there is potential for remote privilege escalation to root for already valid users (GNU Bug Report).

The vulnerability has been fixed in GNU inetutils version 2.5, released on December 29, 2023. The fix involves adding proper return value checking for all set*id() family functions. Various distributions have also backported the fix, including Debian which patched the issue in their LTS release (Debian Advisory, GNU Patch).