Main Vulnerability Database Vulnerabilities #VU77575

Race condition in Tang - CVE-2023-1672

Published: June 20, 2023

Vulnerability identifier: #VU77575

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-1672

CWE-ID: CWE-362

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: latchset

Affected software:
Tang

Detailed vulnerability description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a race condition in the Tang server functionality for key generation and key rotation, which results in a small time window where Tang server private keys become readable by any other process on the same host. The files are initially created with world readable permissions (0644), and only subsequently have more restrictive permissions applied (0440). A local user can exploit the race and obtain Tang private keys.

How to mitigate CVE-2023-1672

Install updates from vendor's website.

Sources

https://census-labs.com/news/2023/06/15/race-tang/

Race condition in Tang - CVE-2023-1672

Detailed vulnerability description

How to mitigate CVE-2023-1672

Sources

Please verify you're human