CVE-2022-3560: Pesign Vulnerability Allows Access to Privileged Files and Directories

A security vulnerability has been discovered in the pesign package, which could potentially allow an attacker to gain access to privileged files and directories. This flaw is identified as CVE-2022-3560 and affects pesign, a software that provides a systemd service used to start the pesign daemon. In this detailed post, we will explore the nature of the vulnerability, how to exploit it, relevant code snippets, and links to original references for further reading.

Vulnerability Details

The pesign package offers a systemd service that is used to start the pesign daemon. This service unit runs a script responsible for setting Access Control Lists (ACLs) for two directories: /etc/pki/pesign and /run/pesign. The ACLs grant access privileges to users in the 'pesign' group. However, there is a critical issue with this script as it does not check for symbolic links. An attacker can exploit this weakness to gain unauthorized access to sensitive files and directories through a path traversal attack.

The following code snippet demonstrates the vulnerability in the pesign package

#!/bin/bash
# Script to set ACLs for /etc/pki/pesign and /run/pesign directories

# Get pesign group ID
pesign_gid=$(getent group pesign | cut -d: -f3)

# Set ACLs for /etc/pki/pesign
chown root:pesign /etc/pki/pesign
chmod 075 /etc/pki/pesign
setfacl -m g:${pesign_gid}:rx /etc/pki/pesign

# Set ACLs for /run/pesign
chown root:pesign /run/pesign
chmod 075 /run/pesign
setfacl -m g:${pesign_gid}:rwx /run/pesign

The above script sets the ACLs for the specified directories, but it does not validate if these directories are actual directories or symbolic links pointing to another location. This lack of validation could enable an attacker to replace one of those directories with a symbolic link, leading to unauthorized access to privileged files and directories.

To exploit this vulnerability, an attacker can create a symbolic link to a sensitive directory, like so:

$ ln -s /path/to/sensitive_directory /etc/pki/pesign

Once this symbolic link is in place, any user in the 'pesign' group will have access privileges to the sensitive files and directories, bypassing the intended access controls.

Solution & Mitigation

To mitigate this vulnerability, the script must be updated to include a check for symbolic links before setting ACLs on the target directories. The updated code snippet should be as follows:

#!/bin/bash
# Script to set ACLs for /etc/pki/pesign and /run/pesign directories, with symlink check

# Check if /etc/pki/pesign or /run/pesign is a symbolic link
if [ -L "/etc/pki/pesign" ] || [ -L "/run/pesign" ]; then
    echo "Symbolic link detected, aborting..."
    exit 1
fi

# Existing script to set ACLs (same as previous)...
 

The added check for symbolic links will ensure that only actual directories receive ACL updates, thereby preventing path traversal attacks.

Original References

For more information about this vulnerability and the proposed fix, please refer to the following links:

1. CVE-2022-3560 - MITRE's entry for this vulnerability.
2. Pesign package - Pesign GitHub repository.

Conclusion

CVE-2022-3560 is a critical vulnerability in the pesign package that could allow attackers to gain access to privileged files and directories by exploiting a lack of symbolic link validation in the access control script. It is vital for affected users to apply the necessary patches and updates to their systems and software to mitigate this security risk.

Timeline

Published on: 02/02/2023 21:22:00 UTC
Last modified on: 02/10/2023 13:17:00 UTC