CVE-2020-24332

low-risk
Published 2020-08-13

An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks. The tss user can be used to create or corrupt existing files, which could possibly lead to a DoS attack.

Do I need to act?

-
0.19% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (2)

Trousers

Affected Vendors

Fedoraproject Trustedcomputinggroup

References (10)

Exploit http://www.openwall.com/lists/oss-security/2020/08/14/1
Exploit https://bugzilla.suse.com/show_bug.cgi?id=1164472
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Mailing List https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch
Exploit https://sourceforge.net/p/trousers/mailman/message/37015817/
Exploit http://www.openwall.com/lists/oss-security/2020/08/14/1
Exploit https://bugzilla.suse.com/show_bug.cgi?id=1164472
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Mailing List https://seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patch
Exploit https://sourceforge.net/p/trousers/mailman/message/37015817/
26
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 7/34 · Low