CVE-2018-20482 in tar
Summary
by MITRE
GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/22/2023
The vulnerability identified as CVE-2018-20482 affects GNU Tar versions prior to 1.30 and represents a significant denial of service flaw that exploits how the archive utility handles sparse file operations. This issue specifically manifests when the --sparse command line option is utilized during archiving processes, creating a condition where the tar utility enters an infinite read loop during the sparse_dump_region function execution in sparse.c. The flaw exploits a race condition scenario where a malicious user can manipulate a file that is scheduled for archiving by another user's process, particularly system backup operations running with elevated privileges such as root access.
The technical implementation of this vulnerability stems from improper handling of file size modifications during the read access phase of sparse file processing. When GNU Tar encounters a sparse file and the --sparse option is enabled, it attempts to read and process the file regions efficiently by tracking which parts contain actual data versus empty space. However, the software fails to properly validate file modifications that occur between the initial file size determination and the actual read operations. This validation gap allows an attacker to modify the target file during the archiving process, causing the sparse_dump_region function to continuously attempt to read from a region that keeps changing size or content, resulting in an infinite loop that consumes system resources and effectively crashes the archiving operation.
The operational impact of this vulnerability extends beyond simple resource exhaustion, as it specifically targets system backup processes that typically run with root privileges. When a system backup operation using GNU Tar encounters a file that is being actively modified by another process, particularly one that has been compromised or is under malicious control, the infinite read loop can cause the entire backup process to hang indefinitely. This creates a denial of service condition that can severely impact system availability, especially in environments where automated backups are critical for data recovery operations. The vulnerability is particularly dangerous because it requires minimal privileges to exploit, as any user can potentially modify files that are scheduled for archiving by other processes, making it a significant threat to system integrity and availability.
The root cause of this vulnerability aligns with CWE-691, which addresses inadequate protection against infinite loops and other forms of uncontrolled resource consumption. The flaw demonstrates poor input validation and resource management within the sparse file handling code path, where the software does not adequately account for concurrent file modifications during the archiving process. From an attacker perspective, this vulnerability maps to ATT&CK technique T1499.001, which covers the use of resource exhaustion attacks through denial of service mechanisms. The vulnerability also reflects broader security concerns related to proper file access controls and the need for robust concurrency management in system utilities that process files with elevated privileges. Organizations should implement immediate mitigation strategies including updating to GNU Tar version 1.30 or later, implementing proper file access controls, and monitoring backup processes for unusual resource consumption patterns to prevent exploitation of this vulnerability.