CVE-2025-24889 in securedrop-clientinfo

Summary

by MITRE • 02/13/2025

The SecureDrop Client is a desktop application for journalists to communicate with sources and work with submissions on the SecureDrop Workstation. Prior to versions 0.14.1 and 1.0.1, an attacker who has already gained code execution in a virtual machine on the SecureDrop Workstation could gain code execution in the `sd-log` virtual machine by sending a specially crafted log entry. The vulnerability is not exploitable remotely and requires an attacker to already have code execution on one of the other virtual machines (VMs) of the system. Due to the Workstation's underlying usage of Qubes for strong isolation, the vulnerability would have allowed lateral movement between any log-enabled VM and the `sd-log` VM, but no further. The SecureDrop workstation collects logs centrally in an isolated virtual machine named `sd-log` for easy export for support and debugging purposes. The `sd-log` VM is completely isolated from the internet and ingests logs via a narrow Qubes RPC policy that allows for specific inter-VM communication via the Xen vchan protocol used by Qubes's qrexec mechanism. A path traversal bug was found in the logic used to choose where to write the log file for a specific VM: the VM name, used unsanitized in the destination path in `sd-log`, is supplied by the logging VM itself instead of being read from a trusted source, such as the Qubes environment variable `QREXEC_REMOTE_DOMAIN` that is used in the fixed implementation. An attacker could provide an arbitrary source VM name, possibly overwriting logs of other VMs, or writing a file named `syslog.log`, with attacker-controlled content, in arbitrary directories as a low-privileged user. A successful attack could potentially overwrite or add configuration to software that loads configuration files from a directory. This is exploitable to achieve code execution by setting the target directory to `/home/user/.config/autostart/` and letting it write `syslog.log`, because XFCE treats any file in that directory as a `.desktop` file regardless of its extension. Versions 0.14.1 and 1.0.1 contain a patch for this issue.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/13/2025

The SecureDrop Workstation represents a sophisticated secure communication platform designed for journalists to interact with sources while maintaining strict operational security. This system employs Qubes OS as its underlying architecture, leveraging virtual machine isolation to create secure boundaries between different operational domains. The platform's design includes a dedicated logging mechanism where all system logs are centrally collected in an isolated virtual machine named sd-log, which maintains complete internet isolation and communicates with other VMs through carefully controlled Qubes RPC policies. The vulnerability described in CVE-2025-24889 specifically targets this logging infrastructure, creating a path traversal flaw that undermines the security boundaries established by the Qubes isolation model.

The technical flaw resides in the log file path construction logic within the sd-log VM, where the system fails to properly sanitize the source VM name when determining log file destinations. This vulnerability stems from the improper handling of user-supplied data, specifically allowing untrusted input from the logging VM to directly influence the file system path construction. The implementation incorrectly relies on the VM name provided by the logging VM itself rather than using the trusted Qubes environment variable QREXEC_REMOTE_DOMAIN, which would provide authenticated source identification. This design flaw creates a classic path traversal vulnerability where an attacker can manipulate the VM name to control file write operations, potentially leading to arbitrary file creation in directories accessible to the low-privileged user account.

The operational impact of this vulnerability extends beyond simple file manipulation, as it enables lateral movement within the Qubes environment while maintaining the system's intended security boundaries. An attacker with code execution in any VM that sends logs to sd-log can exploit this flaw to overwrite log files from other VMs or inject malicious content into critical system directories. The most concerning aspect involves the potential for privilege escalation through configuration file injection, particularly when targeting the XFCE autostart directory where any file with a .desktop extension is automatically executed. This creates a direct code execution pathway that could allow attackers to establish persistent access to the system, undermining the fundamental security model that the SecureDrop Workstation was designed to protect.

The attack vector requires an existing foothold within the Qubes environment, as the vulnerability is not remotely exploitable and demands pre-existing code execution in another VM. This limitation makes the attack more difficult to achieve but still represents a serious compromise of the system's security architecture, particularly given that the Qubes model is specifically designed to prevent such lateral movement between VMs. The vulnerability aligns with CWE-22 Path Traversal and CWE-770 Allocation of Resources Without Limits or Throttling, demonstrating how improper input validation and resource management can create security breaches even within isolated environments. Mitigation efforts should focus on implementing proper input sanitization and leveraging the established Qubes environment variables for source identification, while also considering the broader implications for the system's attack surface and the need for comprehensive security auditing of inter-VM communication mechanisms. The patched versions 0.14.1 and 1.0.1 address this issue by enforcing proper sanitization of the VM name input and utilizing the trusted Qubes environment variable for source identification, thereby restoring the intended security boundaries within the SecureDrop Workstation architecture.

Responsible

GitHub M

Reservation

01/27/2025

Disclosure

02/13/2025

Moderation

accepted

CPE

ready

EPSS

0.00189

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!