Login Sign Up

CVE-2012-1187

9.8 CRITICAL

📋 TL;DR

CVE-2012-1187 is a privilege escalation vulnerability in BitlBee's unix.c component where the software fails to properly drop supplementary group privileges. This allows local attackers to gain root privileges on affected systems. The vulnerability affects BitlBee installations running with setuid or setgid permissions.

💻 Affected Systems

Products:
  • BitlBee
Versions: Versions prior to 3.0.5
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when BitlBee is installed with setuid or setgid permissions enabled, which is not the default configuration.

📦 What is this software?

Bitlbee by Bitlbee

View all CVEs affecting Bitlbee →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root privileges, enabling complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Local user escalates privileges to root, gaining unauthorized access to sensitive system resources and other user accounts.

🟢

If Mitigated

If BitlBee runs without setuid/setgid or with proper privilege separation, impact is limited to the user's own permissions.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local system access.
🏢 Internal Only: HIGH - Internal users with shell access can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access to the system. Proof-of-concept code has been publicly available since 2012.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BitlBee 3.0.5 and later

Vendor Advisory: https://bugs.bitlbee.org/ticket/852

Restart Required: Yes

Instructions:

1. Update BitlBee to version 3.0.5 or later using your distribution's package manager. 2. Restart the BitlBee service. 3. Verify the fix by checking the version.

🔧 Temporary Workarounds

Remove setuid/setgid permissions

linux

Remove setuid or setgid permissions from BitlBee binary to prevent privilege escalation.

chmod u-s /usr/bin/bitlbee
chmod g-s /usr/bin/bitlbee

Run as non-privileged user

linux

Configure BitlBee to run as a regular user without elevated privileges.

Edit BitlBee configuration to run under a non-root user account

🧯 If You Can't Patch

  • Remove setuid/setgid permissions from BitlBee binary immediately
  • Restrict local user access to systems running vulnerable BitlBee versions

🔍 How to Verify

Check if Vulnerable:

Check if BitlBee binary has setuid/setgid permissions and version is below 3.0.5: ls -l /usr/bin/bitlbee && bitlbee --version

Check Version:

bitlbee --version

Verify Fix Applied:

Verify BitlBee version is 3.0.5 or higher and setuid/setgid bits are not set: bitlbee --version && ls -l /usr/bin/bitlbee | grep -E '^...s|^......s'

📡 Detection & Monitoring

Log Indicators:

  • Unexpected privilege escalation attempts
  • BitlBee process running with root privileges from non-root users

Network Indicators:

  • Not applicable - local exploit only

SIEM Query:

process.name:"bitlbee" AND user.name:!"root" AND process.privileges:"root"

📊 Metadata

CVE ID: CVE-2012-1187
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-273
Published: October 29, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2012-1187, you might also want to check these:

CVE-2023-34844 9.8

CVE-2023-34844 is a critical container escape vulnerability in Play With Docker versions before 0.0....

Same vulnerability type (CWE-273)
CVE-2020-24361 9.8

CVE-2020-24361 is a critical remote code execution vulnerability in SNMPTT (SNMP Trap Translator) th...

Same vulnerability type (CWE-273)
CVE-2011-2921 9.8

CVE-2011-2921 is a privilege escalation vulnerability in ktsuss versions 1.4 and earlier. The softwa...

Same vulnerability type (CWE-273)