CVE-2022-29869: Information Leak in cifs-utils due to Verbose Logging and Invalid Credentials File

A vulnerability has been discovered in cifs-utils, a suite of utilities for mounting and managing CIFS (Common Internet File System) shares, which can potentially lead to an information leak in specific scenarios. This vulnerability (CVE-2022-29869) occurs when the software is in verbose logging mode and mistakenly interprets a file containing equal sign (=) characters as an invalid credentials file. This post will provide an overview of the vulnerability, including the affected versions, potential consequences, code snippets, and steps to mitigate and patch the issue.

Affected Versions

cifs-utils through version 6.14 are affected by this vulnerability.

Impact

An attacker can leverage this vulnerability to access sensitive information. As the issue occurs during verbose logging, the attacker could potentially gain access to misinterpreted credentials files, particularly if they contain confidential information. This risk is heightened if logging data is accessible by unauthorized users or mistakenly shared.

Exploit Details

The flaw lies within the verbose logging option (--verbose) that may output sensitive information from the contents of invalid credentials files. This information leak can be exploited if an attacker is able to view the output of verbose logging.

cifs-utils attempts to parse this file as a credentials file for mounting a CIFS share

3. Due to the presence of the equal sign (=) in the file, cifs-utils fails to correctly parse the file as a valid credentials file
4. When the --verbose option is enabled, cifs-utils logs the error and mistakenly includes the content of the file in its output

In the above scenario, an attacker with access to the log output can gain access to sensitive information that should not be exposed.

Code Snippet

The following code snippet from cifs-utils' parse_credential_file() function demonstrates the issue:

FILE *fp;
char line[MAX_UNC_LEN];
...
fp = fopen(file, "r");
if (fp == NULL) {
    ...
}
while (fgets(line, sizeof(line), fp) != NULL) {
    ...
    ret = sscanf(line, "%[^=]=%s", key, value);
    ...
    if (verbose) {
        fprintf(stderr, "line: %s, key: %s, value: %s\n", line, key, value);
    }
}

The code above parses the file line-by-line, using sscanf() to separate each line into a key and a value. If the --verbose option is enabled, the error message including the line is logged, potentially exposing sensitive information from an invalid credentials file.

Mitigation and Patch

The vulnerability has been addressed in the cifs-utils 6.15 release (release notes). To protect against this vulnerability, affected users should:

Upgrade to cifs-utils 6.15 or later

2. Avoid using the --verbose option, or apply access controls to prevent unauthorized users from accessing log outputs

References

1. CVE-2022-29869
2. cifs-utils ChangeLog
3. CIFS: Common Internet File System

Conclusion

CVE-2022-29869 is an information leak vulnerability in cifs-utils that can reveal sensitive information contained in invalid credentials files during verbose logging. It is highly recommended to update to the latest version of cifs-utils and apply security best practices to ensure logs are appropriately protected from unauthorized access.

Timeline

Published on: 04/28/2022 01:15:00 UTC
Last modified on: 06/03/2022 15:15:00 UTC