EUVD-2025-209302
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
A container privilege escalation flaw was found in certain Web Terminal images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Analysis
Container privilege escalation in Red Hat Web Terminal allows local attackers with group membership to modify the /etc/passwd file and create arbitrary user accounts including root. The vulnerability stems from overly permissive group-writable permissions on /etc/passwd during image build, enabling privilege escalation from non-root container users to full root access within the container. Red Hat Web Terminal across multiple versions is affected; no public exploit code or active exploitation has been reported at the time of analysis.
Technical Context
This vulnerability is rooted in CWE-276 (Incorrect Default Permissions), a widespread class of flaws involving insufficiently restrictive file permissions during software creation or deployment. The Web Terminal container image is built with /etc/passwd configured as group-writable, typically having permissions like 0664 or broader. Container users who are members of the root group (GID 0) can therefore write directly to this critical system file without elevated privileges. By appending lines to /etc/passwd in the format 'username:x:UID:GID:gecos:home:shell', an attacker can register new user identities with the system, including UID 0 (root). The Linux user namespace and container runtime treat /etc/passwd as the source of truth for user identity mapping; writing a UID 0 entry allows the attacker to become root within the container namespace. This attack does not escape the container boundary but grants complete control within it. The affected CPE is cpe:2.3:a:red_hat:red_hat_web_terminal:*:*:*:*:*:*:*:*, indicating all versions of Red Hat Web Terminal are potentially affected.
Affected Products
Red Hat Web Terminal is affected across all versions, as indicated by the CPE cpe:2.3:a:red_hat:red_hat_web_terminal:*:*:*:*:*:*:*:*. No specific version ranges are delineated in the available data. For detailed product version information and affected supported versions, refer to the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2025-57853 and the associated Red Hat Bugzilla report at https://bugzilla.redhat.com/show_bug.cgi?id=2391106.
Remediation
The primary remediation is to apply a patched version of Red Hat Web Terminal that corrects the /etc/passwd file permissions during the build process. Exact patched version numbers are not specified in the available advisory data; consult the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2025-57853 for the specific patch release. As an interim mitigation, system administrators should ensure that /etc/passwd within Web Terminal container images is created with restrictive permissions (typically 0644 or 0444) and verify that no non-root user accounts or group memberships unnecessarily grant write access to critical system files. Container image builds should include explicit permission corrections in Dockerfile RUN directives (e.g., 'chmod 0644 /etc/passwd') to override any inherited or default permissions. Review container user and group configuration to limit group memberships to necessary accounts only.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today