Bug 1964465 (CVE-2020-28407) - CVE-2020-28407 swtpm: symlink issue may lead to privilege escalation
Summary: CVE-2020-28407 swtpm: symlink issue may lead to privilege escalation
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-28407
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1964476
Blocks: 1964406
TreeView+ depends on / blocked
 
Reported: 2021-05-25 14:33 UTC by Mauro Matteo Cascella
Modified: 2023-12-28 12:08 UTC (History)
4 users (show)

Fixed In Version: swtpm 0.4.2, swtpm 0.5.1
Clone Of:
Environment:
Last Closed: 2021-10-29 09:07:28 UTC
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2021-05-25 14:33:17 UTC 
A flaw was found in swtpm. This flaw allows an attacker to create a symbolic link with the name of the temporary file (TMP2-00.permall for TPM 2) and have this point to a valuable file. swtpm will end up overwriting the file. The success of the attack depends on the attacker having access to the TPM's state directory (--tpmstate dir=...).

Upstream commits [v0.4.2]:
https://github.com/stefanberger/swtpm/commit/cae5991423826f21b11f7a5bc7f7b2b538bde2a2
https://github.com/stefanberger/swtpm/commit/252d62fc4abb220353576c26434b6e40166f3b58
https://github.com/stefanberger/swtpm/commit/2212f25466089937a0ef3f5d44507a2b157c12aa
https://github.com/stefanberger/swtpm/commit/bd870a7dcc61cff4306739312eb0ab47cd050460

Upstream commits [v0.5.1]:
https://github.com/stefanberger/swtpm/commit/4cc42c0ba3632a98ef381bda68d0a4eaec4578db
https://github.com/stefanberger/swtpm/commit/634b6294000fb785b9f12e13b852c18a0888b01e
https://github.com/stefanberger/swtpm/commit/a03cbadd087b2602412823f254ac75a9a12d97e3
https://github.com/stefanberger/swtpm/commit/526300236dc8a7664acdc265b6fc5d767289ac39
https://github.com/stefanberger/swtpm/commit/e621b21d4c31029ebe794350fcff2bcd4b0f13a0
Comment 4 Stefan Berger 2021-10-14 21:15:59 UTC 
This bug has been fixed a while ago. I think this bugzilla can be closed.
Note You need to log in before you can comment on or make changes to this bug.