CVE-2024-56433: 
Rocky Linux vulnerability analysis and mitigation

shadow-utils (aka shadow) versions 4.4 through 4.17.0 contains a vulnerability in its default /etc/subuid configuration. The software establishes default subordinate UID ranges (e.g., uid 100000 through 165535 for the first user account) that can potentially conflict with UIDs of users defined on locally administered networks (MITRE, NVD). This vulnerability was discovered in December 2024 and is currently marked as disputed.

The vulnerability stems from the default configuration in /etc/login.defs that assigns subordinate UID ranges to local accounts. The default range starts at SUBUIDMIN 100000 with SUBUIDCOUNT 65536, which can overlap with existing network user IDs. This configuration allows local users to leverage newuidmap to gain access to resources owned by network users whose UIDs fall within the assigned subordinate range (Shadow Config). The vulnerability has been assigned a CVSS 3.1 Base Score of 3.6 LOW (Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N) (NVD).

The vulnerability can lead to account takeover by allowing local users to gain access to resources belonging to network users whose UIDs fall within the subordinate range. This includes potential access to NFS home directories or same-host resources in cases of remote logins by these network users (Shadow Issue).

While no official fix has been released, system administrators should carefully review and potentially modify the default subordinate UID ranges in /etc/login.defs to ensure they don't conflict with UIDs used in their network environment. Some argue that system administrators should not assign UIDs within the range that can occur in /etc/subuid (NVD).