CVE-2021-32549 in Apportinfo

Summary

by MITRE • 06/12/2021

It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-13 package apport hooks, it could expose private data to other local users.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 06/14/2021

The vulnerability identified as CVE-2021-32549 resides within the apport package's hookutils.py module, specifically in the read_file() function that handles file operations for crash reporting purposes. This flaw represents a critical security issue in Ubuntu's automated bug reporting system where the function fails to properly validate file types when processing symbolic links or named pipes. The vulnerability manifests when the openjdk-13 package utilizes these apport hooks to collect diagnostic information during system crashes or application failures, creating a pathway for unauthorized data exposure.

The technical implementation of this vulnerability stems from inadequate file type validation within the read_file() function, which operates without proper safeguards against symbolic link traversal or FIFO (named pipe) access. When apport processes crash reports for java applications, it invokes this function to read relevant configuration files or system information. The function's failure to check whether files are symbolic links or named pipes allows malicious local users to create malicious symbolic links pointing to sensitive system files or establish named pipes that can be exploited to read private data. This behavior directly violates the principle of least privilege and creates an information disclosure vector that can be leveraged by attackers with local system access.

The operational impact of this vulnerability extends beyond simple data exposure, as it enables local privilege escalation and information gathering attacks that can compromise system integrity. Attackers can exploit this flaw to read sensitive files such as password hashes, cryptographic keys, configuration files containing database credentials, or other private information that should remain protected. The vulnerability affects systems running Ubuntu with the openjdk-13 package and apport crash reporting enabled, making it particularly concerning for server environments where java applications are commonly deployed. This issue can be exploited by any local user who has the ability to create symbolic links or named pipes, which is typically available to all users on standard linux systems.

Security mitigations for CVE-2021-32549 should focus on implementing proper file validation and access controls within the apport framework. The recommended approach includes modifying the read_file() function to explicitly check file types before processing, implementing proper file descriptor validation, and ensuring that symbolic links and FIFOs are not followed or opened during crash report collection. System administrators should update to patched versions of the apport package, apply the relevant security updates, and consider implementing additional monitoring for suspicious file access patterns. Organizations should also review their local user permissions and implement proper file system hardening measures to prevent unauthorized symbolic link creation. This vulnerability aligns with CWE-367, which addresses time-of-check to time-of-use (TOCTOU) race conditions, and can be mapped to ATT&CK technique T1005 for data from local system, demonstrating the importance of proper file access controls and privilege management in preventing information disclosure attacks.

Responsible

Canonical Ltd.

Reservation

05/10/2021

Disclosure

06/12/2021

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00289

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!