#VU61662 Race condition in Paramiko


Published: 2022-03-28

Vulnerability identifier: #VU61662

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-24302

CWE-ID: CWE-362

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Paramiko
Client/Desktop applications / Encryption software

Vendor: Jeff Forcier

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a race condition in the write_private_key_file() function between creation and chmod operations. A local user can exploit the race and gain unauthorized access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Paramiko: 2.0 - 2.10.0

CPE

External links
http://www.paramiko.org/changelog.html
http://github.com/paramiko/paramiko/blob/363a28d94cada17f012c1604a3c99c71a2bda003/paramiko/pkey.py#L546
http://lists.debian.org/debian-lts-announce/2022/03/msg00032.html
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U63MJ2VOLLQ35R7CYNREUHSXYLWNPVSB/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUEUEGILZ7MQXRSUF5VMMO4SWJQVPTQL/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPMKRUS4HO3P7NR7P4Y6CLHB4MBEE3AI/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in OpenShift Container Platform 4.12
Multiple vulnerabilities in OpenShift Container Platform 4.11
Red Hat OpenStack Platform 16.1 update for python-paramiko
Red Hat OpenStack Platform 16.2 update for python-paramiko
Multiple Vulnerabilities in IBM CloudPak for Watson AIOPs
Multiple vulnerabilities in Dell ECS
Ubuntu update for paramiko
Ubuntu update for paramiko
Information disclosure in Paramiko