CVE-2023-29383
Description
In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
35- Range: =4.13
- osv-coords33 versionspkg:rpm/opensuse/shadow&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/shadow&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/shadow&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/opensuse/shadow&distro=openSUSE%20Tumbleweedpkg:rpm/suse/shadow&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/shadow&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOSpkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/shadow&distro=SUSE%20Manager%20Proxy%204.2pkg:rpm/suse/shadow&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/shadow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/shadow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 4.8.1-150400.10.6.1+ 32 more
- (no CPE)range: < 4.8.1-150400.10.6.1
- (no CPE)range: < 4.8.1-150400.10.6.1
- (no CPE)range: < 4.8.1-150400.3.6.1
- (no CPE)range: < 4.13-6.1
- (no CPE)range: < 4.6-150100.3.8.1
- (no CPE)range: < 4.8.1-150300.4.6.1
- (no CPE)range: < 4.6-150100.3.8.1
- (no CPE)range: < 4.6-150100.3.8.1
- (no CPE)range: < 4.8.1-150300.4.6.1
- (no CPE)range: < 4.8.1-150300.4.6.1
- (no CPE)range: < 4.8.1-150300.4.6.1
- (no CPE)range: < 4.8.1-150300.4.6.1
- (no CPE)range: < 4.8.1-150400.10.6.1
- (no CPE)range: < 4.8.1-150400.3.6.1
- (no CPE)range: < 4.8.1-150500.3.3.1
- (no CPE)range: < 4.8.1-150400.10.6.1
- (no CPE)range: < 4.8.1-150300.4.6.1
- (no CPE)range: < 4.2.1-27.22.1
- (no CPE)range: < 4.2.1-27.22.1
- (no CPE)range: < 4.2.1-27.22.1
- (no CPE)range: < 4.2.1-36.3.1
- (no CPE)range: < 4.6-150100.3.8.1
- (no CPE)range: < 4.6-150100.3.8.1
- (no CPE)range: < 4.8.1-150300.4.6.1
- (no CPE)range: < 4.2.1-27.22.1
- (no CPE)range: < 4.2.1-36.3.1
- (no CPE)range: < 4.6-150100.3.8.1
- (no CPE)range: < 4.6-150100.3.8.1
- (no CPE)range: < 4.8.1-150300.4.6.1
- (no CPE)range: < 4.8.1-150300.4.6.1
- (no CPE)range: < 4.8.1-150300.4.6.1
- (no CPE)range: < 4.2.1-27.22.1
- (no CPE)range: < 4.2.1-27.22.1
Patches
Vulnerability mechanics
Root cause
"Missing validation of control characters in the valid_field function allows injection of \r and Unicode characters to manipulate the visual output of /etc/passwd."
Attack vector
An attacker with local access can inject control characters (e.g., `\r`) and Unicode characters into fields processed by the SUID program `chfn`. Although `\n` is blocked, `\r` is not, allowing the attacker to manipulate the visual output of `/etc/passwd` when viewed with `cat`. By crafting a field that uses `\r` to overwrite portions of the line and Unicode to bypass the `:` character block, the attacker can make it appear that a rogue user account has been added. This is a social-engineering vector: a system administrator seeing the manipulated output may be convinced to take the system offline, resulting in an indirect denial of service [ref_id=1].
Affected code
The vulnerability resides in the `valid_field` function in Shadow's source code, which is used by the SUID program `chfn` (change finger). The function was intended to scan fields for non-printable and illegal characters but did not check for control characters such as `\r` (carriage return). The patch modifies `valid_field` to also reject control characters via `iscntrl()` [ref_id=1].
What the fix does
The patch adds a check for control characters using `iscntrl(*cp)` in the `valid_field` function. Previously, the function only checked for non-printable characters via `isprint()`, which allowed control characters like `\r` to pass through. The new logic returns `-1` (illegal) when a control character is detected, rather than just `1` (non-printable but allowed). This closes the injection vector by rejecting any field containing control characters before it can be written to `/etc/passwd` [ref_id=1].
Preconditions
- authAttacker must have local access to the system to run the SUID chfn program
- inputAttacker must be able to provide crafted input to chfn fields (e.g., finger name, office, phone)
Reproduction
No public PoC is included in the bundle.
Generated on Jun 13, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663dmitre
- github.com/shadow-maint/shadow/pull/687mitre
- www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/mitre
- www.trustwave.com/en-us/resources/security-resources/security-advisories/mitre
News mentions
0No linked articles in our index yet.