CVE-2020-24332 : An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the creation of

An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks. The tss user can be used to create or corrupt existing files, which could possibly lead to a DoS attack.

Published 2020-08-13 17:15:14

Updated 2022-11-18 21:19:48

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Exploit prediction scoring system (EPSS) score for CVE-2020-24332

Probability of exploitation activity in the next 30 days: 0.06%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 22 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-24332

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.9	MEDIUM	AV:L/AC:L/Au:N/C:N/I:N/A:C	3.9	6.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2020-24332

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-24332

http://www.openwall.com/lists/oss-security/2020/08/14/1

oss-security - Re: [TrouSerS-tech] Multiple Security Issues in the TrouSerS tpm1.2 tscd Daemon
Exploit;Mailing List;Third Party Advisory

CVEs referencing this url
https://bugzilla.suse.com/show_bug.cgi?id=1164472

Bug 1164472 – VUL-0: trousers: TrouSerS tcsd privilege escalation tss to root user
Exploit;Issue Tracking;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD/

[SECURITY] Fedora 33 Update: trousers-0.3.14-4.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch

Mailing List;Patch;Third Party Advisory

CVEs referencing this url
https://sourceforge.net/p/trousers/mailman/message/37015817/

TrouSerS / [TrouSerS-tech] Multiple Security Issues in the TrouSerS tpm1.2 tscd Daemon
Exploit;Mailing List;Mitigation;Third Party Advisory

CVEs referencing this url

Products affected by CVE-2020-24332

Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Trustedcomputinggroup » Trousers
Versions up to, including, (<=) 0.3.14
cpe:2.3:a:trustedcomputinggroup:trousers:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2020-24332

Exploit prediction scoring system (EPSS) score for CVE-2020-24332

CVSS scores for CVE-2020-24332

CWE ids for CVE-2020-24332

References for CVE-2020-24332

Products affected by CVE-2020-24332