haveged Control Socket Flaw Allows Local Privilege Escalation
Ubuntu security advisory USN-8358-1 discloses a credential validation bypass in haveged that could permit local attackers to execute privileged commands. The vulnerability stems from improper access controls on the entropy daemon's control socket.
TL;DR
- haveged fails to properly validate credentials on its control socket, creating a local privilege escalation vector
- Attackers with local access can bypass authentication and execute commands with elevated privileges
- The flaw affects systems relying on haveged for entropy generation, commonly deployed in virtualized and embedded environments
- Ubuntu has released patches; administrators should update affected systems immediately
Ubuntu's security team has identified a credential validation flaw in haveged, a user-space entropy daemon used to supplement system randomness on Linux systems. The vulnerability permits local attackers to circumvent authentication mechanisms on the daemon's control socket, potentially leading to unauthorized execution of privileged operations.
This class of vulnerability is particularly concerning in multi-tenant environments, containerized deployments, and systems where local user isolation is a security boundary. haveged is commonly deployed in virtualized infrastructure and embedded systems where hardware entropy sources are limited, making this flaw a practical attack surface for privilege escalation.
Technical Details
- haveged's control socket fails to enforce proper credential checks before accepting commands
- Local attackers can exploit this to issue privileged operations without proper authentication
- The vulnerability is classified as a local privilege escalation issue with direct impact on system security
- Affected systems include those running vulnerable versions of haveged across Ubuntu distributions
Mitigation and Response
- Ubuntu has released security patches via USN-8358-1; administrators should apply updates immediately
- Review local user access policies and restrict unnecessary local account creation
- Consider disabling haveged if entropy generation can be handled by hardware RNG or kernel mechanisms
- Monitor system logs for suspicious control socket access attempts and privilege escalation activities
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.