CVE-2024-52522

Improper Preservation of Permissions (CWE-281)

Published: Nov 15, 2024 / Updated: 4d ago

010
CVSS 5.4EPSS 0.04%Medium
CVE info copied to clipboard

Summary

Rclone, a command-line program for syncing files and directories across cloud storage providers, has a vulnerability in its handling of symlinks when using the --links and --metadata options during local disk copying operations. This insecure handling allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy.

Impact

This vulnerability could lead to privilege escalation and unauthorized access to critical system files. It potentially compromises system integrity, confidentiality, and availability. The attack vector is local, requires low attack complexity, and active user interaction. The vulnerability has a high impact on the vulnerable system's confidentiality and integrity, with a low impact on availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in Rclone version 1.68.2.

Mitigation

1. Update Rclone to version 1.68.2 or later as soon as possible. 2. If immediate updating is not feasible, avoid using the --links and --metadata options when copying to local disks, especially in environments where unprivileged users have access. 3. Implement the principle of least privilege, limiting the use of superuser or privileged processes for file operations. 4. Monitor and audit file system changes, particularly those involving symlinks and permission modifications. 5. Regularly review and update access controls on critical system files.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (514212)

Nov 15, 2024 at 7:53 AM
Vendor Advisory

GitHub Advisories released a security advisory.

Nov 15, 2024 at 2:52 PM
CVE Assignment

NVD published the first details for CVE-2024-52522

Nov 15, 2024 at 6:15 PM
CVSS

A CVSS base score of 5.4 has been assigned.

Nov 15, 2024 at 6:21 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-52522. See article

Nov 15, 2024 at 6:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 15, 2024 at 6:24 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 15, 2024 at 6:43 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 15, 2024 at 7:19 PM
CVSS

A CVSS base score of 5.5 has been assigned.

Nov 15, 2024 at 7:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Rclone/rclone
+null more

Patches

bugzilla.redhat.com
+null more

Links to Mitre Att&cks

T1547.009: Shortcut Modification
+null more

Attack Patterns

CAPEC-132: Symlink Attack
+null more

Vendor Advisory

[GHSA-hrxh-9w67-g4cv] Rclone has Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata
Type of Vulnerability: Improper permissions and ownership handling on symlink targets (Insecure Handling of Symlinks) Impact: This vulnerability allows unprivileged users to modify permissions and ownership of sensitive system files by creating symlinks to those files in directories that are subsequently copied by an administrator with rclone --links --metadata. As a result, ownership and permissions on sensitive system files (e.g., /etc/shadow) may be altered if they are the target of any symlink within the copied directory structure.

News

Rclone has Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata
Insecure handling of symlinks with –links and –metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files (e.g., /etc/shadow), compromising system integrity, confidentiality, and availability. For instance, an unprivileged user could set a symlink to a sensitive …
[GHSA-hrxh-9w67-g4cv] Rclone has Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata
Type of Vulnerability: Improper permissions and ownership handling on symlink targets (Insecure Handling of Symlinks) Impact: This vulnerability allows unprivileged users to modify permissions and ownership of sensitive system files by creating symlinks to those files in directories that are subsequently copied by an administrator with rclone --links --metadata. As a result, ownership and permissions on sensitive system files (e.g., /etc/shadow) may be altered if they are the target of any symlink within the copied directory structure.
CVE-2024-52522
Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. 2326544 - rclone: librclone: improper permission and ownership handling on symlink targets with --links and --metadata
Detected change on RClone Changelog
symlinks with --links and --metadata (Nick Craig-Wood) --metadata (Nick Craig-Wood)
CVE-2024-52522 | Rclone up to 1.68.1 permissions (GHSA-hrxh-9w67-g4cv)
A vulnerability was found in Rclone up to 1.68.1 and classified as critical . This issue affects some unknown processing. The manipulation leads to preservation of permissions. The identification of this vulnerability is CVE-2024-52522 . It is possible to launch the attack on the local host. There is no exploit available. It is recommended to upgrade the affected component.
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Unchanged
Confidentiality:Low
Integrity:Low
Availability Impact:Low

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI