CVE-2024-56433

Name of the Vulnerable Software and Affected Versions shadow-utils versions 4.4 through 4.17.0

Description The issue arises from the default /etc/subuid behavior established by shadow-utils, which can conflict with the uids of users defined on locally administered networks. This conflict can potentially lead to account takeover, for example, by leveraging newuidmap for access to an NFS home directory or same-host resources in the case of remote logins by these local network users. It is also noted that system administrators should avoid assigning uids within local networks that fall within the range that can occur in /etc/subuid.

Recommendations For shadow-utils versions 4.4 through 4.17.0, consider adjusting the /etc/subuid configuration to avoid conflicts with locally administered network user ids. As a temporary workaround, restrict access to newuidmap to minimize the risk of account takeover. Avoid using uid ranges in /etc/subuid that overlap with those used by local network users.