Security readout for executives and security teams
Plain-English summary
CVE-2011-2777 is a local privilege escalation issue in acpid/acpid2 2.0.16 and earlier. The vulnerable sample power button script mishandles process detection and environment data, allowing a local user to potentially run commands with higher privileges. The supplied sources do not show internet-exposed exploitation or active exploitation.
Executive priority
Handle as legacy Linux hardening rather than an internet-facing emergency. Prioritize shared systems and endpoints where untrusted users can log in locally, because successful exploitation could turn a low-privileged account into a higher-privileged foothold.
Technical view
The flaw is in samples/powerbtn/powerbtn.sh. It uses pidof incorrectly around a process name and trusts DBUS_SESSION_BUS_ADDRESS in a way that can lead to command execution by a local user. The source bundle identifies acpid/acpid2 2.0.16 and earlier, but provides limited vendor/version metadata beyond that description.
Likely exposure
Exposure is most likely on older Linux systems using acpid/acpid2 2.0.16 or earlier where the sample power button script is installed and active. Risk is higher on shared workstations, servers with untrusted local users, or environments where local accounts are broadly granted.
Exploitation context
The supplied sources describe local privilege escalation, not remote exploitation. KEV is false, and no cited source in the bundle confirms active exploitation. An attacker would already need local access or a path to run code as a lower-privileged user.
Researcher notes
Evidence is sparse in the supplied bundle. The CVE description names the vulnerable file, affected version ceiling, local-user prerequisite, and unsafe environment handling. It does not provide CVSS, CWE, complete affected CPEs, exploit prevalence, or a confirmed fixed version.
Mitigation direction
- Inventory systems running acpid/acpid2 and identify versions at or below 2.0.16.
- Check vendor advisories or distribution package notes for fixed acpid builds.
- Remove or replace the vulnerable sample powerbtn.sh where vendor guidance supports doing so.
- Limit local shell access on affected shared Linux systems until remediated.
- Prioritize remediation on systems with untrusted local users.
Validation and detection
- Confirm whether acpid/acpid2 is installed and record the package version.
- Verify whether samples/powerbtn/powerbtn.sh exists and is used for power button handling.
- Review distribution changelogs for a fix referencing CVE-2011-2777 or the Launchpad bug.
- Confirm local users cannot modify or influence the active power button handler.
- Document residual exposure where vendor fix status is unclear.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2011-2777 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://bugs.launchpad.net/ubuntu/+source/acpid/+bug/893821CVE reference · x_refsource_CONFIRM
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
