In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm.
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
| Link | Tags |
|---|---|
| https://bugzilla.suse.com/show_bug.cgi?id=1178372 | third party advisory issue tracking |
| https://bugzilla.suse.com/attachment.cgi?id=844938 | third party advisory issue tracking |
| https://www.openwall.com/lists/oss-security/2021/01/12/12 | third party advisory mailing list |
| http://www.openwall.com/lists/oss-security/2021/01/13/5 | mailing list mitigation third party advisory |
| https://github.com/open-iscsi/tcmu-runner/pull/644 | third party advisory patch |