Headline
CVE-2021-42056: GitHub - z00z00z00/Safenet_SAC_CVE-2021-42056: Safenet Authentication Client Privilege Escalation - CVE-2021-42056
Thales Safenet Authentication Client (SAC) for Linux and Windows through 10.7.7 creates insecure temporary hid and lock files allowing a local attacker, through a symlink attack, to overwrite arbitrary files, and potentially achieve arbitrary command execution with high privileges.
Safenet Authentication Client Privilege Escalation CVE-2021-42056
Based on Thales’ website [1], SafeNet Authentication Client – is a middleware client that manages Thales’ extensive SafeNet portfolio of certificate-based authenticators, including eTokens, SafeNet IDPrime smart cards, USB and software-based devices.
Improper permissions have been set on multiple files allowing file overwrite as root user - as well as privilege escalation (requiring multiple steps).
Details
CWE-378: Creation of Temporary File With Insecure Permissions CWE-377: Insecure Temporary File
During installation, Safenet set chmod 777 on the following directories, and 666 on files (listing files which are still vulnerable on latest SAC version):
- /tmp/eToken.hid/*
- /tmp/eToken.lock/*
- /var/tmp/eToken.cache/*
eToken.* are created/updated when SafeNet Authentication Client is performing different operations (eg. lock/unlock).
Two different issues:
- files are created with a static name
- permissions are set to world-read/write/execution ; and created with root privileges
Therefore, any local attacker can, through a symlink attack:
- overwrite any file on the system with SACSrv privileges (launched by default as root). Overwriting some system files (eg. /bin/sh, /etc/shadow) might be critical
- obtain root/777 privileges and put malicious/modified content on a legitimate one (eg. /etc/shadow)
- obtain root shell access on the system by replacing root hash on the “new” /etc/shadow file
The same issue has been found on Windows-based system (“Everyone” set with “Full control” permissions) on these files - and didn’t find any easy way to exploit with a symlink attack (blocked by default in any recent Windows systems).
PoC
drwxrwxrwx 2 root root 4.0K Jul 10 21:18 eToken.lock
-rw-rw-rw- 1 root root 0 Jul 10 21:30 ‘AKS ifdh [eToken 5110 SC] 00 00.lock’
It’s the same for eToken.hid
drwxrwxrwx 2 root root 4.0K Jul 10 21:30 eToken.hid
-rw-rw-rw- 1 root root 0 Jul 10 21:30 global.lock
- z00@z00:/tmp/eToken.lock/$ ln -s /etc/passwdTEST ‘AKS ifdh [eToken 5110 SC] 00 00.lock’
or
- z00@z00:/tmp/eToken.hid/$ ln -s /etc/passwdTEST global.lock
When token status changed (user is logging in; reconnecting through their VPN):
$ ls -laht /etc/passwdTEST -rw-rw-rw- 1 root root 0 Jul 10 21:20 /etc/passwdTEST
Information and Timeline
- Discovered by: @z00kov - CERT Orange Cyberdefense
- https://www.orangecyberdefense.com/
- CVE-2021-42056
- Release date: 13.06.2022
- Revision 1.0
- Severity: Low/Medium
- 12.07.2021: Reported to Thales
- 13.07.2021: Thales ack
- 21.07.2021: Thales answered this issue should be fixed during Q2 2022
- 21.07.2021: Answered this issue will be published after 120 days
- 07.10.2021: MITRE assigned CVE-2021-42056
- 12.06.2022: Latest version (10.7.7) still vulnerable
- 13.06.2022: Release date
[1] https://cpl.thalesgroup.com/en-gb/access-management/security-applications/authentication-client-token-management