Login Sign Up

CVE-2018-0502

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

A vulnerability in zsh before version 5.6 mishandles the beginning of #! (shebang) script files, potentially causing the execve system call to execute a program named on the second line instead of the intended interpreter. This affects users running vulnerable zsh versions on Unix-like systems, particularly when processing untrusted scripts.

💻 Affected Systems

Products:
  • zsh
Versions: All versions before 5.6
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when zsh processes scripts with specific malformed shebang lines; default zsh installations are vulnerable.

📦 What is this software?

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Zsh by Zsh

View all CVEs affecting Zsh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges if a vulnerable system processes a malicious script from an untrusted source, leading to complete system compromise.

🟠

Likely Case

Local privilege escalation or arbitrary code execution when users run malicious scripts, potentially gaining unauthorized access or control.

🟢

If Mitigated

Limited impact if proper input validation and script source verification are enforced, restricting execution to trusted sources only.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction to run a malicious script; proof-of-concept details are publicly available in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: zsh 5.6 and later

Vendor Advisory: https://sourceforge.net/p/zsh/code/ci/1c4c7b6a4d17294df028322b70c53803a402233d

Restart Required: No

Instructions:

1. Update zsh to version 5.6 or later using your system's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade zsh. 3. For RHEL/CentOS: sudo yum update zsh. 4. Verify the update with zsh --version.

🔧 Temporary Workarounds

Avoid Untrusted Scripts

all

Do not execute scripts from untrusted sources; verify script integrity before running.

Use Alternative Shell

linux

Temporarily switch to a non-vulnerable shell like bash for script processing.

chsh -s /bin/bash

🧯 If You Can't Patch

  • Restrict script execution to trusted users and sources only.
  • Implement strict file permissions and monitor for unusual script execution patterns.

🔍 How to Verify

Check if Vulnerable:

Run 'zsh --version' and check if version is below 5.6.

Check Version:

zsh --version

Verify Fix Applied:

After update, run 'zsh --version' to confirm version is 5.6 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Unusual execve calls from zsh processes
  • Script execution errors related to shebang parsing

SIEM Query:

Process execution logs where parent process is zsh and command includes unexpected binary names.

📊 Metadata

CVE ID: CVE-2018-0502
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: September 5, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-0502, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2019-11708 10.0

This vulnerability allows a compromised child process in Firefox/Thunderbird to trick the parent pro...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)