CVE-2022-0563 Overview
A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an INPUTRC environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.
Critical Impact
Unprivileged local users can leverage setuid binaries (chfn/chsh) to read contents of arbitrary root-owned files, potentially exposing sensitive system credentials and configuration data that could facilitate privilege escalation.
Affected Products
- Kernel util-linux (versions prior to 2.37.4)
- NetApp ONTAP Select Deploy Administration Utility
Discovery Timeline
- 2022-02-21 - CVE-2022-0563 published to NVD
- 2025-06-09 - Last updated in NVD database
Technical Details for CVE-2022-0563
Vulnerability Analysis
This vulnerability is classified under CWE-209 (Generation of Error Message Containing Sensitive Information). The core issue resides in how the GNU Readline library handles configuration file parsing errors when invoked by setuid programs like chfn and chsh.
When util-linux is compiled with Readline support, the chfn (change finger information) and chsh (change shell) utilities inherit Readline's behavior of reading configuration from a file specified by the INPUTRC environment variable. Since these utilities run with elevated privileges (setuid root), an attacker can set INPUTRC to point to any file on the system. When Readline encounters parsing errors in the specified file, it outputs error messages that include portions of the file content.
This creates an information disclosure primitive where an unprivileged user can read arbitrary files owned by root by pointing INPUTRC to sensitive files such as /etc/shadow, private SSH keys, or other protected configuration files. The attack requires local access but no special privileges beyond what a standard user possesses.
Root Cause
The root cause is the unsafe interaction between environment variable handling and setuid privilege boundaries. Specifically:
- The INPUTRC environment variable is not sanitized or ignored when the program runs with elevated privileges
- The Readline library outputs file contents in error messages when it fails to parse a configuration file
- The setuid chfn and chsh utilities maintain access to attacker-controlled environment variables while executing with root privileges
This violates the principle that setuid programs should sanitize their environment and avoid leaking privileged information through error messages.
Attack Vector
The attack is executed locally and requires low privileges. An attacker with a standard user account can exploit this vulnerability by manipulating the INPUTRC environment variable before invoking the vulnerable setuid binaries.
The exploitation technique involves setting INPUTRC to point to a sensitive file (such as /etc/shadow or private key files), then executing chfn or chsh. The Readline library, running with root privileges inherited from the setuid binary, attempts to parse the targeted file. When parsing fails, Readline outputs error messages containing portions of the file content, which the attacker can capture from the terminal output.
This allows line-by-line exfiltration of sensitive system files. The attacker could potentially extract password hashes from /etc/shadow, read SSH private keys, or access other confidential system configuration files that would normally be inaccessible to unprivileged users.
Detection Methods for CVE-2022-0563
Indicators of Compromise
- Unusual execution patterns of chfn or chsh binaries with custom INPUTRC environment variables
- Error messages in system logs containing unexpected file content from sensitive system files
- Multiple invocations of chfn/chsh from the same user in rapid succession without legitimate use case
- Process execution with INPUTRC pointing to sensitive files like /etc/shadow, /root/.ssh/*, or similar
Detection Strategies
- Monitor process execution for chfn and chsh with environment variable logging enabled to detect suspicious INPUTRC values
- Implement auditd rules to track access to sensitive files through unexpected processes
- Configure syslog monitoring for Readline parsing error messages that may contain sensitive data
- Deploy endpoint detection to identify patterns of environment variable manipulation preceding setuid binary execution
Monitoring Recommendations
- Enable process accounting and audit logging for all setuid binary executions on critical systems
- Configure file integrity monitoring on sensitive files like /etc/shadow to detect unusual read access patterns
- Review authentication logs for any indicators of credential harvesting following suspected exploitation
- Establish baseline behavior for chfn and chsh usage and alert on anomalous patterns
How to Mitigate CVE-2022-0563
Immediate Actions Required
- Upgrade util-linux to version 2.37.4 or later on all affected systems
- Review systems for util-linux installations compiled with Readline support using ldd /usr/bin/chfn | grep readline
- Audit system logs for potential prior exploitation attempts involving chfn or chsh
- Consider temporarily restricting access to chfn and chsh if immediate patching is not possible
Patch Information
The vulnerability is addressed in util-linux version 2.37.4 and later. System administrators should update their util-linux packages through their distribution's package manager. For detailed technical discussion of the fix, refer to the Kernel Mailing List Discussion.
Gentoo Linux users should consult Gentoo GLSA 2024-08 for distribution-specific guidance. NetApp customers running ONTAP Select Deploy Administration Utility should refer to NetApp Security Advisory NTAP-20220331-0002 for update instructions.
Workarounds
- Recompile util-linux without Readline support as a temporary measure using ./configure --without-readline
- Remove setuid permissions from chfn and chsh binaries using chmod u-s /usr/bin/chfn /usr/bin/chsh (note: this disables user self-service for these functions)
- Implement AppArmor or SELinux policies to restrict environment variable inheritance for setuid binaries
- Use filesystem access controls to limit which users can execute chfn and chsh
# Example: Remove setuid bit from vulnerable binaries (temporary workaround)
chmod u-s /usr/bin/chfn /usr/bin/chsh
# Verify util-linux version
chfn --version
# Check if compiled with Readline support
ldd /usr/bin/chfn | grep -i readline
# Update util-linux on Debian/Ubuntu
apt update && apt install util-linux
# Update util-linux on RHEL/CentOS
yum update util-linux
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
