CVE-2015-1396
📋 TL;DR
CVE-2015-1396 is a directory traversal vulnerability in GNU patch versions before 2.7.4 that allows attackers to write to arbitrary files via symlink attacks in patch files. This affects systems using vulnerable GNU patch versions to apply patches from untrusted sources. The vulnerability exists due to an incomplete fix for CVE-2015-1196.
💻 Affected Systems
- GNU patch
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains arbitrary file write capability, potentially leading to system compromise, data corruption, or privilege escalation by overwriting critical system files.
Likely Case
Local or remote attacker with ability to supply malicious patch files can overwrite files accessible to the patch process user, potentially modifying configuration files or planting backdoors.
If Mitigated
With proper controls limiting patch sources to trusted entities and running patch with minimal privileges, impact is limited to files accessible by the restricted user.
🎯 Exploit Status
Exploitation requires ability to supply malicious patch files to the vulnerable system. Public exploit details are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.4 and later
Vendor Advisory: http://www.ubuntu.com/usn/USN-2651-1
Restart Required: No
Instructions:
1. Update GNU patch to version 2.7.4 or later using your distribution's package manager. 2. For Ubuntu: sudo apt-get update && sudo apt-get install patch. 3. For other distributions, use appropriate package manager commands.
🔧 Temporary Workarounds
Restrict patch sources
allOnly apply patches from trusted, verified sources. Validate patch integrity using checksums before application.
Run patch with minimal privileges
linuxExecute patch utility with non-privileged user account to limit potential damage from file writes.
sudo -u lowprivilegeuser patch -p1 < patchfile
🧯 If You Can't Patch
- Implement strict source control for all patch files, only applying patches from trusted repositories with verified integrity.
- Monitor patch utility usage and file system changes for suspicious activity, particularly unexpected file writes.
🔍 How to Verify
Check if Vulnerable:
Check GNU patch version: patch --version | head -1. If version is earlier than 2.7.4, system is vulnerable.Check Version:
patch --version | head -1Verify Fix Applied:
After updating, verify patch version is 2.7.4 or later using: patch --version | head -1.📡 Detection & Monitoring
Log Indicators:
- Unexpected file writes during patch operations
- Patch failures with symlink-related errors
- File permission changes in unexpected locations
Network Indicators:
- Downloads of patch files from untrusted sources
- Unusual network traffic patterns during patch application
SIEM Query:
Process execution where process_name='patch' AND (file_write_path CONTAINS '../' OR file_write_path CONTAINS symlink)🔗 References
- http://www.openwall.com/lists/oss-security/2015/01/27/29
- http://www.openwall.com/lists/oss-security/2015/01/27/29
- http://www.securityfocus.com/bid/75358
- http://www.securityfocus.com/bid/75358
- http://www.ubuntu.com/usn/USN-2651-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1186764
- http://www.openwall.com/lists/oss-security/2015/01/27/29
- http://www.openwall.com/lists/oss-security/2015/01/27/29
- http://www.securityfocus.com/bid/75358
- http://www.securityfocus.com/bid/75358
- http://www.ubuntu.com/usn/USN-2651-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1186764
