The Common Vulnerabilities and Exposures (CVE) project has recently published a security vulnerability concerning multipath-tools versions .7.7 through .9.x before .9.2. This vulnerability, identified as CVE-2022-41973, can potentially allow local attackers to gain unauthorized root access on a targeted system by exploiting insecure symlink handling in the multipathd component. Furthermore, this vulnerability is closely linked with another security flaw, CVE-2022-41974, which may also be exploited in conjunction with the first issue to gain elevated privileges.
The vulnerability in detail
CVE-2022-41973 targets improper symlink handling in the multipathd program that can allow local users to modify symlinks in /dev/shm, leading to unauthorized file writes outside the /dev/shm directory. Consequently, a malicious local user can potentially exploit this flaw in combination with CVE-2022-41974 to escalate their privileges and obtain root access on a targeted system.
Code snippet showing vulnerable code in multipath-tools
void insecure_symlink_handling() {
...
if (check_symlink_target(...)) {
create_symlink(...);
} else {
log("symlink target is not allowed ...");
}
// other operations without considering path traversal
}
In the code snippet above, the multipathd program checks if the symlink target is valid. However, after this check, it does not properly handle symlink creation or removal, leading to a filepath manipulation vulnerability through path traversal techniques.
References and original sources
1. multipath-tools GitHub repository
2. CVE-2022-41973 - NIST National Vulnerability Database (NVD)
3. CVE-2022-41974 - NIST National Vulnerability Database (NVD)
4. Discussion on the implications of CVE-2022-41973 and CVE-2022-41974
Exploit details
Attackers could begin exploiting this vulnerability by first identifying systems running vulnerable versions of multipath-tools (.7.7 through .9.x before .9.2). Once such systems have been identified, an attacker with local access could exploit insecure symlink handling in multipathd to indirectly gain root access by writing files outside of the /dev/shm directory. This could be achieved by:
1. Compromising an environment where the local user can access /dev/shm.
Resolving the path traversal vulnerability in multipathd to manipulate symlink targets.
3. Exploiting this flaw in conjunction with CVE-2022-41974 to perform local privilege escalation and ultimately obtain root access.
Mitigation
Users of multipath-tools are strongly advised to update their software to version .9.2 or later to patch the vulnerability. This can be done by following the update instructions provided by the multipath-tools development team:
1. Visit the multipath-tools GitHub repository (link).
Find the latest release of multipath-tools (at least version .9.2).
3. Download the appropriate package for your system and follow the installation/upgrade instructions provided by the software team.
Additionally, it's crucial to follow system security best practices such as applying the Principle of Least Privilege, regularly updating software, and monitoring system activities to prevent attackers from gaining unauthorized local access to the system.
Timeline
Published on: 10/29/2022 18:15:00 UTC
Last modified on: 11/22/2022 14:15:00 UTC