Vulnerability Details CVE-2020-24332
An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks. The tss user can be used to create or corrupt existing files, which could possibly lead to a DoS attack.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 41.2%
CVSS Severity
CVSS v3 Score 5.5
CVSS v2 Score 4.9
References
- http://www.openwall.com/lists/oss-security/2020/08/14/1
- https://bugzilla.suse.com/show_bug.cgi?id=1164472
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD/
- https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch
- https://sourceforge.net/p/trousers/mailman/message/37015817/
- http://www.openwall.com/lists/oss-security/2020/08/14/1
- https://bugzilla.suse.com/show_bug.cgi?id=1164472
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD/
- https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch
- https://sourceforge.net/p/trousers/mailman/message/37015817/
Products affected by CVE-2020-24332
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.2.8
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.2.9
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.2.9.1
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.2.9.2
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.0
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.1
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.10
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.11
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.13
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.14
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.2
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.3
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.4
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.5
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.6
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.7
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.8
-
cpe:2.3:a:trustedcomputinggroup:trousers:0.3.9
-
cpe:2.3:o:fedoraproject:fedora:33