CVE-2020-13882


Vendorcpe:2.3:a:cisofy
Productcpe:2.3:a:cisofy:lynis
Vulnerable version(s)Tested 2.7.5. Earlier versions are affected.
Version with fix3.0.0

Attack vector


The symlink detection routine in Lynis before 3.0.0 could be bypassed, which allows local users to manipulate the data in both the log and report. The data manipulation can be used to perform a Denial of Service, retrieve additional system information, or even achieve privilege escalation.

To exploit the vulnerability, an attacker needs access to the system, and wait before another non-privileged user runs Lynis. If symlinks are not protected by the kernel (Linux: fs.protected_hardlinks or fs.protected_symlinks), a TOCTTOU race condition might grant access to the log and report file.

Description


Sander Bos discovered that the routine to check the log and report file permissions was not working as intended and could still be bypassed. This is possible due to a race condition (Time of Check to Time of Use). It allows an unprivileged attacker to set up a log and report file and control that up to the point where the specific routine is doing its check. After that, the file can be removed, recreated, and used for additional attacks.

Mitigation


Linux users with kernel 3.6 or higher can use fs.protected_hardlinks=1 and fs.protected_symlinks=1, to counter the symlink attack.

Discoverer and credits


Special thanks to Sander Bos for his discovery and responsible disclosure. Thanks to Katarina Durechova for the code change.
Entry last updated June 18, 2020