CVE-2020-15397
📋 TL;DR
This CVE allows unprivileged users (like the uucp account) to execute arbitrary code with root privileges by placing malicious binaries in writable directories that HylaFAX+ scripts execute from. It affects HylaFAX+ up to version 7.0.2 and HylaFAX Enterprise installations where these directories are improperly secured.
💻 Affected Systems
- HylaFAX+
- HylaFAX Enterprise
📦 What is this software?
Hylafax\+ by Hylafax\+ Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level code execution, allowing attackers to install backdoors, exfiltrate data, or pivot to other systems.
Likely Case
Local privilege escalation where unprivileged users gain root access on the affected system.
If Mitigated
No impact if proper directory permissions are enforced and scripts don't execute from user-writable locations.
🎯 Exploit Status
Exploitation requires local access and knowledge of the vulnerable directory structure. The technique is straightforward once an attacker has local access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: HylaFAX+ 7.0.3 and later
Vendor Advisory: http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00039.html
Restart Required: Yes
Instructions:
1. Update to HylaFAX+ 7.0.3 or later. 2. Apply vendor patches if available. 3. Restart HylaFAX services after patching.
🔧 Temporary Workarounds
Secure directory permissions
linuxRemove write permissions for unprivileged users on HylaFAX script execution directories
chmod -R o-w /var/spool/hylafax
chown -R root:root /var/spool/hylafax
Restrict uucp account access
linuxLimit the uucp account's ability to write to critical directories
usermod -s /sbin/nologin uucp
chmod 750 /var/spool/hylafax
🧯 If You Can't Patch
- Implement strict directory permissions to prevent unprivileged users from writing to /var/spool/hylafax subdirectories
- Monitor for unauthorized file creation in HylaFAX directories and restrict uucp account privileges
🔍 How to Verify
Check if Vulnerable:
Check if unprivileged users can write to directories under /var/spool/hylafax: find /var/spool/hylafax -type d -perm -o+wCheck Version:
hfaxd --version 2>/dev/null || faxstat --version 2>/dev/nullVerify Fix Applied:
Verify directory permissions: find /var/spool/hylafax -type d -perm -o+w should return no results📡 Detection & Monitoring
Log Indicators:
- Unexpected file creation in /var/spool/hylafax directories
- Unusual process execution from HylaFAX directories by uucp user
Network Indicators:
- Outbound connections from HylaFAX processes to unexpected destinations
SIEM Query:
source="/var/log/auth.log" AND (process="hfaxd" OR user="uucp") AND action="execute"🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00054.html
- https://bugzilla.suse.com/show_bug.cgi?id=1173519
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J52QFVREJWJ35YSEEDDRMZQ2LM2H2WE6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y46FOVJUS5SO44A2VEKR7DXEHTI4WK5L/
- https://security.gentoo.org/glsa/202007-06
- https://sourceforge.net/p/hylafax/HylaFAX+/2534/
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00054.html
- https://bugzilla.suse.com/show_bug.cgi?id=1173519
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J52QFVREJWJ35YSEEDDRMZQ2LM2H2WE6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y46FOVJUS5SO44A2VEKR7DXEHTI4WK5L/
- https://security.gentoo.org/glsa/202007-06
- https://sourceforge.net/p/hylafax/HylaFAX+/2534/
