CVE-2021-28099 in OSS Hollow
Summary
by MITRE • 03/24/2021
In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/04/2021
The vulnerability identified as CVE-2021-28099 affects Netflix Open Source Software Hollow, a library designed for efficient data serialization and deserialization. This flaw resides in the directory creation and file naming mechanisms within the software's persistence layer. The core issue stems from a race condition vulnerability that allows malicious actors to manipulate the file system creation process before legitimate operations occur. The vulnerability manifests when the system first checks for parent directory existence using Files.exists(parent) before proceeding with directory creation, creating a window of opportunity for attackers to exploit.
The technical implementation of this vulnerability involves a fundamental flaw in the directory creation sequence where the system performs a preliminary existence check followed by actual directory creation without proper synchronization or validation. This sequence creates a race condition that attackers can exploit by pre-creating directories with overly permissive access controls, effectively allowing them to manipulate the file system structure. The vulnerability is compounded by the use of an insecure source of randomness for generating file names, which violates security best practices and allows attackers to predict future file names deterministically. This predictable naming scheme enables attackers to stage malicious file operations that can bypass normal security controls.
From an operational impact perspective, this vulnerability creates significant security risks including potential privilege escalation, unauthorized data access, and manipulation of persisted data structures. The insecure randomness source particularly undermines the security model by making it possible for attackers to construct malicious file paths that could be processed by the application, potentially leading to arbitrary file creation or modification in unexpected locations. The vulnerability affects systems that rely on Netflix OSS Hollow for data persistence and could be exploited to gain unauthorized access to sensitive data or disrupt normal application operations.
The vulnerability aligns with CWE-367, which addresses Time-of-Check to Time-of-Use (TOCTOU) race conditions, and CWE-330, which covers the use of insecure randomness. From an ATT&CK framework perspective, this vulnerability maps to TA0005 Privilege Escalation and TA0004 Defense Evasion, as attackers could leverage this weakness to establish persistent access or hide malicious activities within the application's data persistence layer. The vulnerability also relates to T1059 Command and Scripting Interpreter, as attackers might use the file system manipulation capabilities to execute malicious payloads through the affected persistence mechanisms.
Mitigation strategies should focus on implementing proper synchronization mechanisms around directory creation operations to eliminate the race condition window. The system should employ atomic directory creation methods that combine existence checking with creation in a single atomic operation, preventing attackers from inserting malicious directories between the check and creation phases. Additionally, replacing the insecure randomness source with a cryptographically secure random number generator is essential to prevent predictable file naming. Organizations should also implement proper access control enforcement, ensuring that directory permissions are set appropriately and that directory creation operations validate access controls in real-time rather than relying on pre-checks. Regular security audits of file system operations and implementation of proper input validation for all file paths should be enforced to prevent exploitation of similar vulnerabilities in the broader codebase.