CVE-2020-7040
📋 TL;DR
CVE-2020-7040 is a symlink attack vulnerability in storeBackup.pl that allows local users to create or manipulate the /tmp/storeBackup.lock file. This can lead to privilege escalation by tricking the backup script into overwriting sensitive files, or cause denial of service by blocking backup operations. Affected users are those running storeBackup versions through 3.5 on Unix-like systems.
💻 Affected Systems
- storeBackup
📦 What is this software?
Backports Sle by Opensuse
Backports Sle by Opensuse
Leap by Opensuse
Storebackup by Storebackup
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation where an attacker gains root access by manipulating the lock file to overwrite critical system files.
Likely Case
Denial of service where local users create a lock file to block legitimate backup operations until manual intervention.
If Mitigated
Minimal impact if proper file permissions and secure temporary directory practices are implemented.
🎯 Exploit Status
Exploitation requires local shell access and knowledge of the system. Proof of concept involves creating symlinks or files in /tmp.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: storeBackup 3.6 and later
Vendor Advisory: http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00054.html
Restart Required: No
Instructions:
1. Download storeBackup version 3.6 or later from the official repository. 2. Replace the existing storeBackup.pl script with the patched version. 3. Verify the fix by checking the version or testing lock file creation.
🔧 Temporary Workarounds
Secure temporary directory usage
linuxModify storeBackup.pl to use a secure temporary directory with proper permissions instead of /tmp
sed -i 's|/tmp/storeBackup\.lock|/var/run/storeBackup.lock|' /path/to/storeBackup.pl
Set restrictive permissions on lock file
linuxEnsure the lock file is created with restrictive permissions and owned by root
chmod 600 /tmp/storeBackup.lock
chown root:root /tmp/storeBackup.lock
🧯 If You Can't Patch
- Restrict access to storeBackup.pl to trusted users only using file permissions
- Monitor /tmp/storeBackup.lock for unauthorized creation or modification
🔍 How to Verify
Check if Vulnerable:
Check storeBackup version: storeBackup.pl --version | grep -E '3\.5|3\.[0-4]'Check Version:
storeBackup.pl --versionVerify Fix Applied:
Verify version is 3.6 or later: storeBackup.pl --version | grep -E '3\.6|3\.[7-9]|[4-9]\.[0-9]'📡 Detection & Monitoring
Log Indicators:
- Failed backup operations due to lock file issues
- Unauthorized file creation in /tmp directory
Network Indicators:
- None - this is a local attack
SIEM Query:
process.name='storeBackup.pl' AND file.path='/tmp/storeBackup.lock' AND file.action='create'🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00054.html
- http://www.openwall.com/lists/oss-security/2020/01/20/3
- http://www.openwall.com/lists/oss-security/2020/01/21/2
- http://www.openwall.com/lists/oss-security/2020/01/22/2
- http://www.openwall.com/lists/oss-security/2020/01/22/3
- http://www.openwall.com/lists/oss-security/2020/01/23/1
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-7040
- https://lists.debian.org/debian-lts-announce/2020/02/msg00003.html
- https://seclists.org/oss-sec/2020/q1/20
- https://usn.ubuntu.com/4508-1/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00054.html
- http://www.openwall.com/lists/oss-security/2020/01/20/3
- http://www.openwall.com/lists/oss-security/2020/01/21/2
- http://www.openwall.com/lists/oss-security/2020/01/22/2
- http://www.openwall.com/lists/oss-security/2020/01/22/3
- http://www.openwall.com/lists/oss-security/2020/01/23/1
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-7040
- https://lists.debian.org/debian-lts-announce/2020/02/msg00003.html
- https://seclists.org/oss-sec/2020/q1/20
- https://usn.ubuntu.com/4508-1/
