CVE-2023-38497 - Security Vulnerability in Cargo affects Rust Projects, leading to Potential Unauthorized Code Execution

A security flaw has been discovered in Cargo, the package manager for Rust programming language. This vulnerability, identified as CVE-2023-38497, affects the way Cargo handles permissions while extracting crate archives on UNIX-like systems. Versions of Cargo prior to .72.2, bundled with Rust prior to version 1.71.1, are susceptible to this security issue. Exploiting this vulnerability, a local user can alter source code compiled and executed by another user. This article explains the details of the vulnerability, showcases a code snippet to demonstrate the issue, and provides mitigation guidance with links to original references.

Vulnerability Details

The key issue in the vulnerable Cargo versions is their disregard for the system's umask setting while extracting crate archives. As a result, downloaded crates containing files writeable by any local user become a target for unauthorized code modifications. An attacker can leverage this weakness to compromise the integrity of the Rust project's dependencies and, ultimately, the entire project.

A vulnerable Cargo process will behave as follows

// Excerpt from vulnerable Cargo version
fn extract_crate(archive_path: &Path, target_path: &Path) -> Result<(), Error> {
    let mut archive = read_archive(archive_path)?;

    for entry in archive.entries()? {
        let mut entry = entry?;
        let entry_path = sanitize_path(entry.path()?);
        let target_entry_path = target_path.join(&entry_path);

        // Notice the absence of umask handling here
        entry.extract(&target_entry_path)?;
    }

    Ok(())
}

Fixes and Workarounds

The Rust team has addressed this vulnerability in Cargo version .72.2, included in Rust 1.71.1. These fixed versions ensure both compliance with the umask setting and automatic purging of caches generated by older, vulnerable Cargo versions.

To thwart potential exploits based on existing cached extractions, consider revising your setup to restrict access to Cargo directories from other local users. The typical location of the Cargo directory is ~/.cargo.

# Ensure only the owner has access to the Cargo directory
chmod 070 ~/.cargo

Original References and Further Reading

1. Rust Security Advisory: RustSec/Advisory-DB GHSA-cfwh-mph7-h372
2. Cargo Release Notes: Version .72.2
3. Rust Release Notes: Version 1.71.1

Conclusion

Ensuring the security of software projects is an essential aspect of modern development. The discovery of CVE-2023-38497 highlights the need for careful permission management in Cargo and other tools leveraging similar extraction mechanisms. As a user, it is vital to stay informed and apply security updates to your development environment, build systems, and dependencies.

Timeline

Published on: 08/04/2023 16:15:00 UTC
Last modified on: 08/17/2023 19:15:00 UTC