Summary: CPIO found to be vulnerable to Path Traversal vulnerability that can be leveraged to achieve full Remote Command Execution on the target. Details: While handling CPIO archives, the CPIO follows symlink, cpio by default will follow stored symlinks while extracting and the Archiver will not check the symlink location, which leads to arbitrary file writes to unintended locations. When the victim extracts the archive, the attacker can craft a malicious cpio archive to achieve RCE on the target system. PoC ( Steps to reproduce ) : Complete instructions to craft a cpio archive to demonstrate the vulnerability. ``` mkdir testcpio ln -sf /tmp/ testcpio/tmp echo "TEST Traversal" > testcpio/tmpYtrav.txt cd testcpio/ ls | cpio -ov > ../trav.cpio cd ../ sed -i s/"tmpY"/"tmp\/"/g trav.cpio ``` Extract the malicious archive: cpio -i < trav.cpio Impact: An attacker can craft malicious cpio archives that exploit the vulnerability to write files on locations such as ~/.ssh, ~/.bashrc, ~/.config/autostart/ etc., to achieve full remote command execution on the target/victim system. Software that uses CPIO as a component might be vulnerable. Credit: Febin Mon Saji
This attack requires to social engineer the user to open the cpio archive, impact of this is moderate.
*** Bug 2255243 has been marked as a duplicate of this bug. ***
Looks very similar to CVE-2015-1197 - https://bugzilla.redhat.com/show_bug.cgi?id=1179773
There is a question in upstream list about this CVE in https://lists.gnu.org/archive/html/bug- cpio/2024-02/msg00000.html
Marian, can you help with this question? Corrected link is https://lists.gnu.org/archive/html/bug-cpio/2024-02/msg00000.html
https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html CVE-2023-7216 has been rejected by the upstream community , cpio maintainer don't think it's a bug. Is the Red Hat community considering marking CVE-2023-7216 as rejected on NVD?
I see no difference between this CVE-2023-7216 and the CVE-2015-1197. Both CVEs are about the same thing: escaping the directory tree the archive is extracted in. The way the reproducer is constructed is a bit different but from what I can tell it results in the same principle. I've made an extensive summary of the CVE-2015-1197 here: https://bugzilla.redhat.com/show_bug.cgi?id=1179773#c8 I don't understand why this CVE is rated 'moderate' (was even 'high' for a while), while the CVE-2015-1197 is rated 'low'. After 8 years, the upstream created a fix for the cpio '--no-absolute-filenames' option, so it now prevents the attack. Other than that the upstream rejected this CVE, stating to use the fixed '--no-absolute-filenames' option, which entirely prevents it. As I've pointed out in the CVE-2015-1197, we haven't fixed even that in RHEL 7, 8, 9. And it doesn't seem to be a problem, at least as far as I can tell. I believe these two CVEs are the exact same, only revived few years later. As it wasn't a problem with the CVE-2015-1197, I strongly suggest to use the same resolution. Which is: - lower the CVE severity to 'low' - close as 'WON'T FIX' The RHEL 10 will likely be the first RHEL distribution containing the fix.
Created cpio tracking bugs for this issue: Affects: fedora-all [bug 2280700]