Описание
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the Root.Chmod function is replaced with a symbolic link during execution, specifically after Root.Chmod checks the target but before acting, the chmod operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.
Отчет
To exploit this issue, an attacker needs access to the system and the required permissions to create a symbolic link. Additionally, the attacker must swap the target file with a symbolic link in the exact window after the Root.Chmod function checks its target but before acting. Due to these conditions, this flaw has been rated with a moderate severity.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Assisted Installer for Red Hat OpenShift Container Platform 2 | redhat-user-workloads/appliance | Affected | ||
| Builds for Red Hat OpenShift | redhat-user-workloads/openshift-builds-waiter-1-6 | Not affected | ||
| Builds for Red Hat OpenShift | redhat-user-workloads/openshift-builds-waiter-1-7 | Not affected | ||
| cert-manager Operator for Red Hat OpenShift | redhat-user-workloads/jetstack-cert-manager-1-17 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | redhat-user-workloads/jetstack-cert-manager-1-18 | Affected | ||
| Confidential Compute Attestation | redhat-user-workloads/osc-caa | Affected | ||
| Confidential Compute Attestation | redhat-user-workloads/trustee-operator | Affected | ||
| Deployment Validation Operator | redhat-user-workloads/deployment-validation-operator | Affected | ||
| ExternalDNS Operator | edo/external-dns-rhel8 | Affected | ||
| ExternalDNS Operator | edo/external-dns-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
On Linux, if the target of Root.Chmod is replaced with a symlink while ...
EPSS
7.8 High
CVSS3