Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-42056: GitHub - z00z00z00/Safenet_SAC_CVE-2021-42056: Safenet Authentication Client Privilege Escalation - CVE-2021-42056

Thales Safenet Authentication Client (SAC) for Linux and Windows through 10.7.7 creates insecure temporary hid and lock files allowing a local attacker, through a symlink attack, to overwrite arbitrary files, and potentially achieve arbitrary command execution with high privileges.

CVE
#web#windows#linux#git#auth

Safenet Authentication Client Privilege Escalation CVE-2021-42056

Based on Thales’ website [1], SafeNet Authentication Client – is a middleware client that manages Thales’ extensive SafeNet portfolio of certificate-based authenticators, including eTokens, SafeNet IDPrime smart cards, USB and software-based devices.

Improper permissions have been set on multiple files allowing file overwrite as root user - as well as privilege escalation (requiring multiple steps).

Details

CWE-378: Creation of Temporary File With Insecure Permissions CWE-377: Insecure Temporary File

During installation, Safenet set chmod 777 on the following directories, and 666 on files (listing files which are still vulnerable on latest SAC version):

  • /tmp/eToken.hid/*
  • /tmp/eToken.lock/*
  • /var/tmp/eToken.cache/*

eToken.* are created/updated when SafeNet Authentication Client is performing different operations (eg. lock/unlock).

Two different issues:

  • files are created with a static name
  • permissions are set to world-read/write/execution ; and created with root privileges

Therefore, any local attacker can, through a symlink attack:

  • overwrite any file on the system with SACSrv privileges (launched by default as root). Overwriting some system files (eg. /bin/sh, /etc/shadow) might be critical
  • obtain root/777 privileges and put malicious/modified content on a legitimate one (eg. /etc/shadow)
  • obtain root shell access on the system by replacing root hash on the “new” /etc/shadow file

The same issue has been found on Windows-based system (“Everyone” set with “Full control” permissions) on these files - and didn’t find any easy way to exploit with a symlink attack (blocked by default in any recent Windows systems).

PoC

drwxrwxrwx 2 root root 4.0K Jul 10 21:18 eToken.lock

-rw-rw-rw- 1 root root 0 Jul 10 21:30 ‘AKS ifdh [eToken 5110 SC] 00 00.lock’

It’s the same for eToken.hid

drwxrwxrwx 2 root root 4.0K Jul 10 21:30 eToken.hid

-rw-rw-rw- 1 root root 0 Jul 10 21:30 global.lock

  • z00@z00:/tmp/eToken.lock/$ ln -s /etc/passwdTEST ‘AKS ifdh [eToken 5110 SC] 00 00.lock’

or

  • z00@z00:/tmp/eToken.hid/$ ln -s /etc/passwdTEST global.lock

When token status changed (user is logging in; reconnecting through their VPN):

$ ls -laht /etc/passwdTEST -rw-rw-rw- 1 root root 0 Jul 10 21:20 /etc/passwdTEST

Information and Timeline

  • Discovered by: @z00kov - CERT Orange Cyberdefense
  • https://www.orangecyberdefense.com/
  • CVE-2021-42056
  • Release date: 13.06.2022
  • Revision 1.0
  • Severity: Low/Medium
  • 12.07.2021: Reported to Thales
  • 13.07.2021: Thales ack
  • 21.07.2021: Thales answered this issue should be fixed during Q2 2022
  • 21.07.2021: Answered this issue will be published after 120 days
  • 07.10.2021: MITRE assigned CVE-2021-42056
  • 12.06.2022: Latest version (10.7.7) still vulnerable
  • 13.06.2022: Release date

[1] https://cpl.thalesgroup.com/en-gb/access-management/security-applications/authentication-client-token-management

Related news

CVE-2023-26469: GitHub - Orange-Cyberdefense/CVE-repository: Repository of CVE found by OCD people

In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907