fkie_cve-2021-27851
Vulnerability from fkie_nvd
Published
2021-04-26 16:15
Modified
2024-11-21 05:58
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable.
References
cret@cert.orghttps://bugs.gnu.org/47229Issue Tracking, Mailing List, Patch, Vendor Advisory
cret@cert.orghttps://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugs.gnu.org/47229Issue Tracking, Mailing List, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/Patch, Vendor Advisory
Impacted products
Vendor Product Version
gnu guix *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gnu:guix:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D489F131-C780-45C0-99CF-B59532F60807",
              "versionEndExcluding": "1.2.0",
              "versionStartIncluding": "0.11.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A security vulnerability that can lead to local privilege escalation has been found in \u2019guix-daemon\u2019. It affects multi-user setups in which \u2019guix-daemon\u2019 runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable."
    },
    {
      "lang": "es",
      "value": "Se ha encontrado una vulnerabilidad de seguridad en \"guix-daemon\" que puede conllevar a una escalada de privilegios local.\u0026#xa0;Afecta a las configuraciones multiusuario en las que \"guix-daemon\" se ejecuta localmente.\u0026#xa0;El ataque consiste en hacer que un usuario no privilegiado genere un proceso de compilaci\u00f3n, por ejemplo con \"guix build\", que hace que su directorio de compilaci\u00f3n sea world-writable.\u0026#xa0;Luego, el usuario crea un v\u00ednculo f\u00edsico a un archivo de propiedad root tal y como /etc/shadow en ese directorio de compilaci\u00f3n.\u0026#xa0;Si el usuario pas\u00f3 la opci\u00f3n --keep-failed y finalmente se produce un fallo en la compilaci\u00f3n, el demonio cambia la propiedad de todo el \u00e1rbol de compilaci\u00f3n, incluido el enlace f\u00edsico, al usuario.\u0026#xa0;En ese momento, el usuario tiene acceso de escritura al archivo de destino.\u0026#xa0;Las versiones posteriores a la v0.11.0-3298-g2608e40988 y las versiones anteriores a la v1.2.0-75109-g94f0312546 son vulnerables"
    }
  ],
  "id": "CVE-2021-27851",
  "lastModified": "2024-11-21T05:58:38.123",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.1,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-04-26T16:15:07.433",
  "references": [
    {
      "source": "cret@cert.org",
      "tags": [
        "Issue Tracking",
        "Mailing List",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugs.gnu.org/47229"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Mailing List",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugs.gnu.org/47229"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/"
    }
  ],
  "sourceIdentifier": "cret@cert.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "cret@cert.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-59"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.