CVE-2014-3038

Vulnerability

IBM SPSS Modeler 16.0 before version 16.0.0.1 on Unix platforms does not properly drop group privileges after authenticating a user. When the server spawns a process with setuid to the user's identity, it retains the root GID (0) and associated privileged groups. This allows a local user to access files that would normally be restricted to privileged users. Affected versions: IBM SPSS Modeler 16 on Unix platforms [1].

Exploitation

An attacker needs only local access to the system; no authentication is required beyond being a local user. The attacker can leverage the retained root GID to access files that are group-readable or group-writable by root. The exploitation sequence involves logging in as a local user and then using the inherited group privileges to read or modify files that are normally only accessible to root or members of root's group [1].

Impact

Successful exploitation allows a local attacker to bypass file-access restrictions, resulting in partial confidentiality and integrity impact. The CVSS base score is 3.6 (AV:L/AC:L/Au:N/C:P/I:P/A:N). The attacker can read sensitive files and potentially modify some files depending on permissions, but does not gain full root privileges [1].

Mitigation

The fix is to apply IBM SPSS Modeler 16.0.0.1 Fix Pack. No workarounds are available. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog. Users should upgrade to version 16.0.0.1 or later [1].