CVE-2020-29529: Hashi Corp go-slug (Path Traversal)
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.
1.1 Vulnerability Summary
Hashi Corp go-slug up did not fully protect against Zip Slip attacks while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when handling files and symlinks in Unpack function. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system. Below is more technical details of the patch applied in GitHub.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
CVSS Base score of this vulnerability is 7.5 Medium. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1.3 Affected Version
Hashi Corp go-slug up to 0.4.3
1.4 Vulnerability Attribution
This vulnerability is reported by Ryan Uber from HashiCorp.
1.5 Risk Impact
No public exploits are available, but it is possible to build exploiting. As per this site, Hashi Corp, the leader in multi-cloud automation software, was announced that it has been named to the Forbes 2019 Cloud 100 for the second consecutive year. Hashi Corp moved from #32 to #4, making it the biggest mover in the Top 5.
Hashi Corp’s open-source products have been downloaded millions of times and commercial versions of those products are broadly adopted by the Global 2000. The products’ modular and open design enables them to be widely used across a rich ecosystem of cloud and infrastructure partners including Alibaba Cloud, AWS, Google Cloud, Microsoft Azure, Oracle Cloud, and VMware.
As per Hashi Corp blog, by the end of 2018, Hashi Corp was downloaded close to 45 Mil, given the rapid adoption, we predict that downloads and adoption would have increased many folds.
Exploiting this vulnerability can lead to exfiltration of sensitive data from servers, via Path traversal. Vulnerability.
1.6 Virsec Security Platform (VSP) Support:
The Virsec Security Platform (VSP)-Web has capability that can detect all types of path traversal attack and prevent this attack from being exploited.
1.7 Reference Links:
Download the full vulnerability report to learn more about this and other important vulnerabilities.