How can I upgrade cron in Ubuntu bionic if vulnerability CVE-2017-9525 is not patched?

The vulnerability CVE-2017-9525 exist in cron package in Ubnuntu Bionic,

https://people.canonical.com/~ubuntu-security/cve/pkg/cron.html

We want to fix it in our server, however there are no patches available for this specific version of Cron. The latest cron version for this distribution is 3.0pl1-128.1ubuntu1, which is reported to be vulnerable to CVE-2017-9525 as shown here: https://packages.ubuntu.com/bionic/cron

In order to be compliant. we need to fix this vulnerability. We have already tried downloading deb packages for cron from latest Ubuntu distribution, and installing them but those are not supported by Ubuntu 18 unfortunately.

Is there any way to upgrade cron in Ubuntu 18 and fix this vulnerability?


Solution 1:

There is, in fact, a patch for this vulnerability: It's attached to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864466

If any Ubuntu user wants to apply the patch to 16.04 or 18.04, test it, and then report back to the Ubuntu Security Team on their testing, your real contribution to Ubuntu will be welcome.


For folks who don't want to apply patches themselves, nor upgrade to a non-vulnerable release, The Ubuntu Security Team has triaged this, and thinks that it's a Low priority bug for several good reasons.

Looks like the vulnerability can only be triggered when cron is upgraded by apt by an attacker that is already a member of the crontab group (usually nobody is).

  • Information: The cron package received NO post-release updates in 14.04, 16.04 so far, nor 18.04 so far. This vulnerability has a very, very limited window of opportunity - once every 6 months (or once every two years).

This means that you have several possible ways to lower your risk while some other community members test and backport the patch:

Here's an example:

  1. You can apt-mark hold cron, so it does not update unobserved. The vulnerability is part of the postinstall script, which only runs when the cron package updates (or if you reinstall cron for whatever reason).

  2. In a default install of Ubuntu, nobody is in the crontab group. You can check /etc/groups for any unexpected members of the crontab group, and remove them, before releasing the apt-hold and updating cron.

  3. The exploit involves using dangling symlinks to fool the kernel. You can check for dangling symlinks in $crondir/crontabs before upgrading cron. Again, easy to spot using plain old ls -la, and takes only a moment to remove.

It's also important to point out to newer users that an intruder or malware that has gained access to the crontab group has already compromised your system, regardless of whether they gain root or not.