GHSA-HGWP-4VP4-QMM2
Vulnerability from github – Published: 2021-05-24 16:56 – Updated: 2023-03-02 21:10In cloudflared versions < 2020.8.1 (corresponding to 0.0.0-20200820025921-9323844ea773 on pkg.go.dev) on Windows, if an administrator has started cloudflared and set it to read configuration files from a certain directory, an unprivileged user can exploit a misconfiguration in order to escalate privileges and execute system-level commands. The misconfiguration was due to the way that cloudflared reads its configuration file. One of the locations that cloudflared reads from (C:\etc) is not a secure by default directory due to the fact that Windows does not enforce access controls on this directory without further controls applied. A malformed config.yaml file can be written by any user. Upon reading this config, cloudflared would output an error message to a log file defined in the malformed config. The user-controlled log file location could be set to a specific location that Windows will execute when any user logs in.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/cloudflare/cloudflared"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20200820025921-9323844ea773"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-24356"
],
"database_specific": {
"cwe_ids": [
"CWE-427"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-24T16:52:03Z",
"nvd_published_at": "2020-10-02T15:15:00Z",
"severity": "HIGH"
},
"details": "In `cloudflared` versions \u003c 2020.8.1 (corresponding to 0.0.0-20200820025921-9323844ea773 on pkg.go.dev) on Windows, if an administrator has started `cloudflared` and set it to read configuration files from a certain directory, an unprivileged user can exploit a misconfiguration in order to escalate privileges and execute system-level commands. The misconfiguration was due to the way that `cloudflared` reads its configuration file. One of the locations that `cloudflared` reads from (C:\\etc\\) is not a secure by default directory due to the fact that Windows does not enforce access controls on this directory without further controls applied. A malformed config.yaml file can be written by any user. Upon reading this config, `cloudflared` would output an error message to a log file defined in the malformed config. The user-controlled log file location could be set to a specific location that Windows will execute when any user logs in.",
"id": "GHSA-hgwp-4vp4-qmm2",
"modified": "2023-03-02T21:10:45Z",
"published": "2021-05-24T16:56:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cloudflare/cloudflared/security/advisories/GHSA-hgwp-4vp4-qmm2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24356"
},
{
"type": "WEB",
"url": "https://github.com/cloudflare/cloudflared/commit/9323844ea773b1444460fa09295ab8c01a88d97e"
},
{
"type": "PACKAGE",
"url": "https://github.com/cloudflare/cloudflared"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Local Privilege Escalation in cloudflared"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.