CVE-2018-10900

HIGH

Network Manager VPNC Username Privilege Escalation

Title source: metasploit

Description

Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocallinux

https://www.exploit-db.com/exploits/45313

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Denis Andzakovic, bcoles · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/network_manager_vpnc_username_priv_esc.rb

View Code ZIP pw:eip

References (9)

[Exploit, Issue Tracking, Third Party Advisory] https://bugzilla.novell.com/show_bug.cgi?id=1101147

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10900

[Third Party Advisory, Vendor Advisory] https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.news

[Patch, Third Party Advisory, Vendor Advisory] https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4

[Third Party Advisory] https://lists.debian.org/debian-lts-announce/2018/07/msg00048.html

[Exploit, Third Party Advisory] https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc

[Third Party Advisory] https://security.gentoo.org/glsa/201808-03

[Third Party Advisory] https://www.debian.org/security/2018/dsa-4253

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/45313/

Scores

CVSS v3 7.8

EPSS 0.1468

EPSS Percentile 94.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (3)

debian/debian_linux 8.0

debian/debian_linux 9.0

gnome/network_manager_vpnc < 1.2.6

Published Jul 26, 2018

Tracked Since Feb 18, 2026