Vulnerability Details : CVE-2021-27851
A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable.
Vulnerability category: Gain privilege
Products affected by CVE-2021-27851
- cpe:2.3:a:gnu:guix:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-27851
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-27851
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:P/A:N |
3.9
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2021-27851
-
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Assigned by: nvd@nist.gov (Primary)
-
Assigned by: cret@cert.org (Secondary)
References for CVE-2021-27851
-
https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/
Risk of local privilege escalation via guix-daemon — 2021 — Blog — GNU GuixPatch;Vendor Advisory
-
https://bugs.gnu.org/47229
#47229 - Local privilege escalation via guix-daemon and ‘--keep-failed’ - GNU bug report logsIssue Tracking;Mailing List;Patch;Vendor Advisory
Jump to