Login Sign Up

CVE-2018-20969

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2018-20969 is a command injection vulnerability in GNU patch's ed script processing. It allows attackers to execute arbitrary commands by crafting malicious patch files containing '!' characters. This affects systems using GNU patch to apply patches from untrusted sources.

💻 Affected Systems

Products:
  • GNU patch
Versions: All versions through 2.7.6
Operating Systems: Linux, Unix-like systems, Any OS running GNU patch
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when processing ed scripts with '!' commands. Requires patch to process untrusted input.

📦 What is this software?

Patch by Gnu

View all CVEs affecting Patch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with arbitrary command execution as the user running patch, potentially leading to privilege escalation, data theft, or complete system takeover.

🟠

Likely Case

Local privilege escalation or remote code execution when processing patches from untrusted sources, particularly in automated patching systems.

🟢

If Mitigated

Limited impact if patch only processes trusted sources and runs with minimal privileges.

🌐 Internet-Facing: MEDIUM - Exploitable if patch processes user-uploaded files via web applications or automated systems.
🏢 Internal Only: MEDIUM - Risk exists in development environments, CI/CD pipelines, or automated patching systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires the victim to process a malicious patch file. Public exploit details exist in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.7 and later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:2798

Restart Required: No

Instructions:

1. Update GNU patch to version 2.7.7 or later. 2. For Red Hat systems: yum update patch. 3. For other distributions: use package manager to update patch package.

🔧 Temporary Workarounds

Input validation

linux

Validate patch files before processing to ensure they don't contain '!' commands in ed scripts.

# Example: grep -q "^!" patchfile && echo "Rejecting patch with ed commands"

Run with minimal privileges

linux

Execute patch with non-privileged user accounts to limit impact.

sudo -u lowprivuser patch -p1 < patchfile

🧯 If You Can't Patch

  • Restrict patch usage to trusted sources only
  • Implement strict input validation for all patch files

🔍 How to Verify

Check if Vulnerable:

Check patch version: patch --version | head -1

Check Version:

patch --version | head -1

Verify Fix Applied:

Verify version is 2.7.7 or later: patch --version | grep -q '2\.7\.[7-9]\|2\.[8-9]'

📡 Detection & Monitoring

Log Indicators:

  • Failed patch applications with error messages
  • Unexpected process executions during patching

Network Indicators:

  • Unusual outbound connections from patch processes

SIEM Query:

process.name:"patch" AND (process.cmdline:"!" OR process.parent.cmdline:"!")

📊 Metadata

CVE ID: CVE-2018-20969
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: August 16, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-20969, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)