CVE-2021-37701

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

Severity Score

8.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/` characters as path separators, however `\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.

El paquete npm "tar" (también se conoce como node-tar) versiones anteriores a 4.4.16, 5.0.8 y 6.1.7, presenta una vulnerabilidad de creación y escritura excesiva de archivos arbitrarios y de ejecución de código arbitrario. node-tar pretende garantizar que no se extraiga ningún archivo cuya ubicación sería modificada por un enlace simbólico. Esto es conseguido, en parte, asegurando que los directorios extraídos no sean enlaces simbólicos. Además, para evitar llamadas innecesarias a las estadísticas para determinar si una ruta dada es un directorio, las rutas son almacenadas en caché cuando los directorios son creados. Esta lógica era insuficiente cuando se extraían archivos tar que contenían tanto un directorio como un enlace simbólico con el mismo nombre que el directorio, donde los nombres de los enlaces simbólicos y de los directorios en la entrada del archivo usaban barras invertidas como separador de rutas en los sistemas posix. La lógica de comprobación de la caché usaba tanto los caracteres "\" como "/" como separadores de ruta, sin embargo "\" es un carácter de nombre de archivo válido en los sistemas posix. Al crear primero un directorio, y luego sustituyendo ese directorio por un enlace simbólico, era posible omitir las comprobaciones de enlaces simbólicos de node-tar en los directorios, permitiendo esencialmente que un archivo tar no confiable hiciera un enlace simbólico en una ubicación arbitraria y que posteriormente extrajera archivos arbitrarios en esa ubicación, permitiendo así la creación y escritura excesiva arbitraria de archivos. Además, una confusión similar podría surgir en los sistemas de archivos que no distinguen entre mayúsculas y minúsculas. Si un archivo tar contiene un directorio en "FOO", seguido de un enlace simbólico llamado "foo", entonces en los sistemas de archivos no sensibles a las mayúsculas y minúsculas, la creación del enlace simbólico eliminaría el directorio del sistema de archivos, pero no de la caché interna de directorios, ya que no se trataría como un golpe de caché. Una entrada de archivo posterior dentro del directorio "FOO" se colocaría entonces en el objetivo del enlace simbólico, pensando que el directorio ya había sido creado. Estos problemas se han solucionado en las versiones 4.4.16, 5.0.8 y 6.1.7. La rama v3 de node-tar ha quedado obsoleta y no ha recibido parches para estos problemas. Si todavía está usando una versión v3, le recomendamos que actualice a una versión más reciente de node-tar. Si esto no es posible, hay una solución disponible en la referencia GHSA-9r2w-394v-53qc

A flaw was found in the npm package "tar" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-07-29 CVE Reserved
2021-08-31 CVE Published
2024-05-16 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-59: Improper Link Resolution Before File Access ('Link Following')

CAPEC

References (8)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html	Mailing List
https://www.npmjs.com/package/tar	Product

URL	Date	SRC

URL	Date	SRC
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	2023-01-19
https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc	2023-01-19
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-01-19

URL	Date	SRC
https://www.debian.org/security/2021/dsa-5008	2023-01-19
https://access.redhat.com/security/cve/CVE-2021-37701	2022-06-06
https://bugzilla.redhat.com/show_bug.cgi?id=1999731	2022-06-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Npmjs Search vendor "Npmjs"		Tar Search vendor "Npmjs" for product "Tar"				< 4.4.16 Search vendor "Npmjs" for product "Tar" and version " < 4.4.16"		node.js		Affected
Npmjs Search vendor "Npmjs"		Tar Search vendor "Npmjs" for product "Tar"				>= 5.0.0 < 5.0.8 Search vendor "Npmjs" for product "Tar" and version " >= 5.0.0 < 5.0.8"		node.js		Affected
Npmjs Search vendor "Npmjs"		Tar Search vendor "Npmjs" for product "Tar"				>= 6.0.0 < 6.1.7 Search vendor "Npmjs" for product "Tar" and version " >= 6.0.0 < 6.1.7"		node.js		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected
Oracle Search vendor "Oracle"		Graalvm Search vendor "Oracle" for product "Graalvm"				20.3.3 Search vendor "Oracle" for product "Graalvm" and version "20.3.3"		enterprise		Affected
Oracle Search vendor "Oracle"		Graalvm Search vendor "Oracle" for product "Graalvm"				21.2.0 Search vendor "Oracle" for product "Graalvm" and version "21.2.0"		enterprise		Affected
Siemens Search vendor "Siemens"		Sinec Infrastructure Network Services Search vendor "Siemens" for product "Sinec Infrastructure Network Services"				< 1.0.1.1 Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1"		-		Affected