CVE-2022-37703: In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path. Asked the researcher about an upstream report: https://github.com/MaherAzzouzi/CVE-2022-37703/issues/1
And after trying to help them report this upstream, they eventually just deleted my issue after saying they'll drop 2 Amanda LPEs today.
Reproduced their side of the conversation in: https://gist.github.com/ajakk/f5aece4564079513f09f6066238ed6aa
Reported upstream: https://github.com/zmanda/amanda/issues/192
Pointed out these two CVEs in the upstream issue as well.
Apparently, that might not be the real upstream, but fortunately someone from that repo reported to the mailing lists: https://github.com/zmanda/amanda/issues/192#issuecomment-1399650313 https://marc.info/?l=amanda-hackers&m=167437716918603&w=2 https://marc.info/?l=amanda-users&m=167437611218333&w=2
Looks like some fixes made it into Git upstream. CVE-2022-37703 was fixed with: https://github.com/zmanda/amanda/commit/cf01041d34b830fc8bfe87346a9a1aa092d76820 CVE-2022-37704 was partially fixed with: https://github.com/zmanda/amanda/commit/ee766efdd77acd2e08f646bf2f9028944cdb9d06 Then had further fixes: https://github.com/zmanda/amanda/commit/e06005c01c4e008705083d053adefab0be5b2c4f https://github.com/zmanda/amanda/commit/f069e2c190146c5ed4d5ef8df390ee5024d4a3c8
(In reply to John Helmert III from comment #6) > Looks like some fixes made it into Git upstream. > > CVE-2022-37703 was fixed with: > https://github.com/zmanda/amanda/commit/ > cf01041d34b830fc8bfe87346a9a1aa092d76820 https://slice-master.io > > CVE-2022-37704 was partially fixed with: > https://github.com/zmanda/amanda/commit/ > ee766efdd77acd2e08f646bf2f9028944cdb9d06 > > Then had further fixes: > > https://github.com/zmanda/amanda/commit/ > e06005c01c4e008705083d053adefab0be5b2c4f > https://github.com/zmanda/amanda/commit/ > f069e2c190146c5ed4d5ef8df390ee5024d4a3c8 all done! This is the simple fix to ensure automake is run for stable users.
(In reply to John Helmert III from comment #6) > Looks like some fixes made it into Git upstream. > > CVE-2022-37703 was fixed with: > https://github.com/zmanda/amanda/commit/ > cf01041d34b830fc8bfe87346a9a1aa092d76820 > > CVE-2022-37704 was partially fixed with: > https://github.com/zmanda/amanda/commit/ > ee766efdd77acd2e08f646bf2f9028944cdb9d06 > > Then had further fixes: > > https://github.com/zmanda/amanda/commit/ > e06005c01c4e008705083d053adefab0be5b2c4f > https://github.com/zmanda/amanda/commit/ > f069e2c190146c5ed4d5ef8df390ee5024d4a3c8 https://ricepurity-test.io/ Thank you for the update regarding the fixes for CVE-2022-37703 and CVE-2022-37704. Hopefully these fixes will help improve security for Amanda users.
(In reply to John Helmert III from comment #6) > Looks like some fixes made it into Git upstream. > > CVE-2022-37703 was fixed with: > https://github.com/zmanda/amanda/commit/ > cf01041d34b830fc8bfe87346a9a1aa092d76820 > > CVE-2022-37704 was partially fixed with: > https://github.com/zmanda/amanda/commit/ > ee766efdd77acd2e08f646bf2f9028944cdb9d06 > > Then had further fixes: > > https://github.com/zmanda/amanda/commit/ https://retrobowl-college.io/ > e06005c01c4e008705083d053adefab0be5b2c4f > https://github.com/zmanda/amanda/commit/ > f069e2c190146c5ed4d5ef8df390ee5024d4a3c8 A vulnerability for information leakage in the calcsize SUID binary was discovered in Amanda 3.5.1. This vulnerability can be used by an attacker to determine if a directory exists in the file system or not. Without verifying the path, the binary will call `opendir()` as root immediately, allowing the attacker to supply any path.
This issue involves a command injection vulnerability. Improper neutralization of input in commands allows attackers to execute arbitrary commands, which could potentially lead to privilege escalation or system compromise.
(In reply to John Helmert III from comment #6) > Looks like some fixes made it into Git upstream. > > CVE-2022-37703 was fixed with: > https://github.com/zmanda/amanda/commit/ > cf01041d34b830fc8bfe87346a9a1aa092d76820 > > CVE-2022-37704 was partially fixed with: > https://github.com/zmanda/amanda/commit/ > ee766efdd77acd2e08f646bf2f9028944cdb9d06 > > Then had further fixes: > https://tabattlesimulator.com > https://github.com/zmanda/amanda/commit/ > e06005c01c4e008705083d053adefab0be5b2c4f > https://github.com/zmanda/amanda/commit/ > f069e2c190146c5ed4d5ef8df390ee5024d4a3c8 Thanks a lot