Amanda 3.5.1 has a flaw that allows privilege escalation from the regular user backup to root. The SUID binary located at /lib/amanda/rundump will execute /usr/sbin/dump as root with controlled arguments from the attacker which may lead to escalation of privileges, denial of service, and information disclosure. https://github.com/MaherAzzouzi/CVE-2022-37704 https://github.com/zmanda/amanda/issues/192 https://marc.info/?l=amanda-hackers&m=167437716918603&w=2
Created amanda tracking bugs for this issue: Affects: fedora-all [bug 2168789]
I believe the discussion under https://bugzilla.redhat.com/show_bug.cgi?id=2167744#c4 applies equally here.
Upstream PRs & commits: https://github.com/zmanda/amanda/pull/197 https://github.com/zmanda/amanda/commit/e890d08e16ea0621966a7ae35cce53ccb44a472e https://github.com/zmanda/amanda/commit/ecf1d6e82a7d0ffe0a826a40a6d6ce4c112fea67 https://github.com/zmanda/amanda/pull/205 https://github.com/zmanda/amanda/pull/205/commits/b930189c06290a23aba177687b2f123590323be1
In reply to comment #3: > I believe the discussion under > https://bugzilla.redhat.com/show_bug.cgi?id=2167744#c4 applies equally here. To back this up: el8 ~ $ dnf install amanda-client el8 ~ $ ls -l /usr/lib64/amanda/rundump -rwsr-x---. 1 root disk 17208 Aug 12 2018 /usr/lib64/amanda/rundump