Main Vulnerability Database Vulnerabilities #VU77575

#VU77575 Race condition in Tang - CVE-2023-1672

Published: June 20, 2023

Vulnerability identifier: #VU77575

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-1672

CWE-ID: CWE-362

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Tang

Software vendor:
latchset

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a race condition in the Tang server functionality for key generation and key rotation, which results in a small time window where Tang server private keys become readable by any other process on the same host. The files are initially created with world readable permissions (0644), and only subsequently have more restrictive permissions applied (0440). A local user can exploit the race and obtain Tang private keys.

Remediation

Install updates from vendor's website.

External links

https://census-labs.com/news/2023/06/15/race-tang/

#VU77575 Race condition in Tang - CVE-2023-1672

Description

Remediation

External links

Please verify you're human