CVE-2011-3632
📋 TL;DR
CVE-2011-3632 is a symlink attack vulnerability in Hardlink versions before 0.1.2 that allows local attackers to manipulate file operations by exploiting improper path handling. This affects systems where Hardlink is installed and users have local access. The vulnerability enables attackers to create or modify files they shouldn't have access to.
💻 Affected Systems
- Hardlink
📦 What is this software?
Hardlink by Hardlink Project
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation allowing attackers to gain root access, modify critical system files, or create persistent backdoors.
Likely Case
Unauthorized file creation or modification in directories accessible to the attacker, potentially leading to data tampering or service disruption.
If Mitigated
Limited impact with proper file permissions and user separation, though symlink attacks could still affect shared directories.
🎯 Exploit Status
Exploitation requires local access and knowledge of target file paths. Proof of concept was published in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.1.2 and later
Vendor Advisory: https://access.redhat.com/security/cve/cve-2011-3632
Restart Required: No
Instructions:
1. Update Hardlink to version 0.1.2 or later using your package manager. 2. For Debian/Ubuntu: sudo apt-get update && sudo apt-get install hardlink. 3. For RHEL/CentOS: sudo yum update hardlink.
🔧 Temporary Workarounds
Remove Hardlink utility
linuxUninstall Hardlink if not needed to eliminate the attack surface
sudo apt-get remove hardlink
sudo yum remove hardlink
Restrict user permissions
linuxLimit which users can execute Hardlink and access sensitive directories
sudo chmod 750 /usr/bin/hardlink
sudo setfacl -m u:username:rx /usr/bin/hardlink
🧯 If You Can't Patch
- Remove execute permissions from Hardlink binary for non-privileged users
- Implement strict file permission controls and monitor for symlink creation in sensitive directories
🔍 How to Verify
Check if Vulnerable:
Check Hardlink version with 'hardlink --version' or 'dpkg -l | grep hardlink' or 'rpm -q hardlink'Check Version:
hardlink --version 2>/dev/null || dpkg -l hardlink 2>/dev/null || rpm -q hardlink 2>/dev/nullVerify Fix Applied:
Verify installed version is 0.1.2 or higher: 'hardlink --version' should show 0.1.2+📡 Detection & Monitoring
Log Indicators:
- Unusual Hardlink usage by non-privileged users
- Symlink creation in protected directories
- Failed file operations due to permission errors
Network Indicators:
- Not applicable - local attack only
SIEM Query:
process.name:"hardlink" AND user.name NOT IN ("root", "admin")🔗 References
- https://access.redhat.com/security/cve/cve-2011-3632
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=645516
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3632
- https://security-tracker.debian.org/tracker/CVE-2011-3632
- https://www.openwall.com/lists/oss-security/2011/10/15/2
- https://www.openwall.com/lists/oss-security/2011/10/20/6
- https://access.redhat.com/security/cve/cve-2011-3632
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=645516
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3632
- https://security-tracker.debian.org/tracker/CVE-2011-3632
- https://www.openwall.com/lists/oss-security/2011/10/15/2
- https://www.openwall.com/lists/oss-security/2011/10/20/6
