CVE-2025-49809
BaseFortify
Publication date: 2025-07-04
Last updated on: 2025-07-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in mtr (up to version 0.95) involves improper handling of the MTR_PACKET environment variable when mtr is run in certain privileged contexts, especially when mtr-packet is not setuid-root but some users have sudo privileges to run mtr. An attacker with limited sudo access could exploit this to escalate privileges by manipulating the MTR_PACKET variable. The vulnerability arises because mtr executes a program specified by this environment variable without sufficient checks, potentially allowing unauthorized code execution with elevated privileges. [1]
How can this vulnerability impact me? :
If you run mtr in an environment where it is executed with limited sudo privileges but without the mtr-packet binary being setuid-root, an attacker who gains access to a user account with sudo rights to run mtr could exploit this vulnerability to escalate their privileges. This could lead to unauthorized execution of code with higher privileges, compromising system security and potentially allowing full system control. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the mtr tool is running with sudo privileges and if the environment variable MTR_PACKET is being used or manipulated. Additionally, verify if the file /etc/mtr.is.run.under.sudo exists, as its presence changes how MTR_PACKET is handled. Commands to help detect this include: 1) Checking for the presence of the file: `ls -l /etc/mtr.is.run.under.sudo` 2) Inspecting environment variables for running mtr processes: `ps aux | grep mtr` and then `cat /proc/<pid>/environ | tr '\0' '\n' | grep MTR_PACKET` 3) Checking if mtr is installed with setuid root: `ls -l $(which mtr)` 4) Attempting to run mtr without sudo and observing error messages such as "Failure to open IPv4 sockets: Operation not permitted" or "mtr: Failure to start mtr-packet: Invalid argument" which indicate permission issues related to this vulnerability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch that ignores the MTR_PACKET environment variable when the file /etc/mtr.is.run.under.sudo exists, as implemented in the referenced commit. Alternatively, ensure that mtr is installed with the setuid root bit set, which allows it to open raw sockets without requiring sudo, thereby avoiding the vulnerability scenario. If using Homebrew on macOS, consider configuring or reinstalling mtr with setuid root permissions or avoid running mtr with sudo in a way that exposes the MTR_PACKET environment variable. Creating the file /etc/mtr.is.run.under.sudo can also enforce ignoring the environment variable to prevent exploitation. [1, 2]