Bug 2487233 (CVE-2026-53476)

Summary: CVE-2026-53476 assisted-migration-agent: VDDK Tarball Chained-Symlink Arbitrary File Write
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. This could ultimately lead to the execution of unauthorized code on the appliance.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-09 18:37:44 UTC 
Repository: assisted-migration-agent  
Priority: High  
Location: internal/services/vddk.go:173

Description:  
The PUT /inspector/vddk endpoint accepts gzip'd tarballs and extracts them with a custom extractTarGz() function. The extractor's path traversal protection uses lexical checks (filepath.Clean + HasPrefix) that don't resolve symlinks already on disk. An attacker can craft a tarball that first plants a/x → .. (passes lexical validation), then writes a/x/y/... which actually lands at dest/../y/... because os.Create follows the live symlink. This can be chained to write to root /.

Security Impact:  

Unauthenticated LAN-adjacent clients can write arbitrary files as UID 1001

Writable targets include /var/lib/agent/ config and /app/.cache

Direct path to persistent code execution on appliance with vCenter admin credentials

Fix Suggestion:  
Before creating each entry, resolve the entry's parent directory with filepath.EvalSymlinks and re-verify the resolved path is still inside destDir. Do not drop symlink support entirely as legitimate VDDK tarballs contain .so version symlinks. See patches/f001.patch for implementation.