CVE-2015-8768 – CVE-2015-8768 is a critical vulnerability in cl... (How to Fix)

Q: What is the severity of CVE-2015-8768?

CVE-2015-8768 has a CVSS score of 9.8 (CRITICAL). CVE-2015-8768 is a critical vulnerability in click/install.py that allows attackers to bypass security restrictions when installing packages. By crafting malicious package tarballs without requiring files to start with './', attackers can install alternate security policies and gain elevated privileges. This primarily affects Ubuntu Phone systems using the click package manager.

📋 TL;DR

CVE-2015-8768 is a critical vulnerability in click/install.py that allows attackers to bypass security restrictions when installing packages. By crafting malicious package tarballs without requiring files to start with './', attackers can install alternate security policies and gain elevated privileges. This primarily affects Ubuntu Phone systems using the click package manager.

💻 Affected Systems

Products:

click package manager

Versions: All versions prior to the fix

Operating Systems: Ubuntu Phone/Touch

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects Ubuntu Phone/Touch systems using click for app installation. Traditional Ubuntu desktop systems are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges, allowing complete control over the affected device and potential lateral movement in connected networks.

🟠

Likely Case

Privilege escalation leading to unauthorized access to sensitive data, installation of backdoors, or disruption of device functionality.

🟢

If Mitigated

Limited impact with proper package source validation and restricted installation permissions in place.

🌐 Internet-Facing: MEDIUM - Requires user interaction to install malicious packages, but could be distributed through app stores or repositories.

🏢 Internal Only: LOW - Primarily affects mobile devices rather than traditional enterprise infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Demonstrated with test.mmrow app for Ubuntu phone. Requires user to install a malicious package.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in click package updates (Ubuntu USN-2771-1)

Vendor Advisory: http://ubuntu.com/usn/usn-2771-1

Restart Required: No

Instructions:

1. Update click package via apt-get update && apt-get upgrade click. 2. Verify installation with dpkg -l click. 3. Ensure no malicious packages are installed.

🔧 Temporary Workarounds

Restrict package installation sources

linux

Only install packages from trusted repositories and verified sources

Implement package validation

linux

Add validation to ensure package files start with './' before installation

🧯 If You Can't Patch

Disable click package manager functionality if not required
Implement strict app installation policies and user education about untrusted packages

🔍 How to Verify

Check if Vulnerable:

Check click package version: dpkg -l | grep click. If version is prior to fix, system is vulnerable.

Check Version:

dpkg -l | grep click

Verify Fix Applied:

Verify click package is updated to patched version and test installation of known safe packages.

📡 Detection & Monitoring

Log Indicators:

Unusual package installation events
Click installation failures or warnings
Security policy modification attempts

Network Indicators:

Downloads from untrusted repositories
Unusual package sources

SIEM Query:

source="click" AND (event="install" OR event="policy_change") AND status="failure"

📊 Metadata

CVE ID: CVE-2015-8768

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-264

Published: February 13, 2017

Last Updated: April 20, 2025

🔗 References

http://bazaar.launchpad.net/~click-hackers/click/devel/revision/587
http://ubuntu.com/usn/usn-2771-1 Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/01/12/8 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/96386 Third Party Advisory,VDB Entry
https://bugs.launchpad.net/ubuntu/+source/click/+bug/1506467 Issue Tracking,Patch,Third Party Advisory
https://code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554 Issue Tracking,Patch,Third Party Advisory
https://insights.ubuntu.com/2015/10/15/update-on-ubuntu-phone-security-issue/
https://plus.google.com/+SzymonWaliczek/posts/3jbG2uiAniF
http://bazaar.launchpad.net/~click-hackers/click/devel/revision/587
http://ubuntu.com/usn/usn-2771-1 Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/01/12/8 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/96386 Third Party Advisory,VDB Entry
https://bugs.launchpad.net/ubuntu/+source/click/+bug/1506467 Issue Tracking,Patch,Third Party Advisory
https://code.launchpad.net/~cjwatson/click/audit-missing-dot-slash/+merge/274554 Issue Tracking,Patch,Third Party Advisory
https://insights.ubuntu.com/2015/10/15/update-on-ubuntu-phone-security-issue/
https://plus.google.com/+SzymonWaliczek/posts/3jbG2uiAniF

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-8768, you might also want to check these: