CVE-2022-25643
📋 TL;DR
CVE-2022-25643 is a privilege escalation vulnerability in seatd-launch (part of seatd 0.6.x) that allows local users to delete arbitrary files with root privileges when the software is installed setuid root. The vulnerability occurs through user-controlled socket pathnames. This affects systems with seatd 0.6.x installed with setuid permissions.
💻 Affected Systems
- seatd
- seatd-launch
📦 What is this software?
Seatd by Seatd Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary file deletion, potentially leading to denial of service, privilege escalation, or system instability by deleting critical system files.
Likely Case
Local privilege escalation allowing unprivileged users to delete files they shouldn't have access to, potentially disrupting system operations or other users' data.
If Mitigated
Limited impact if seatd is not installed setuid root or if proper file permissions prevent exploitation.
🎯 Exploit Status
Exploitation requires local user access. The vulnerability is straightforward to exploit once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.4
Vendor Advisory: https://lists.sr.ht/~kennylevinsen/seatd-announce/%3CETEO7R.QG8B1KGD531R1%40kl.wtf%3E
Restart Required: No
Instructions:
1. Update seatd to version 0.6.4 or later. 2. Use package manager: 'sudo apt update && sudo apt upgrade seatd' (Debian/Ubuntu) or equivalent for your distribution. 3. For source installations: Download 0.6.4 from GitHub, compile, and install.
🔧 Temporary Workarounds
Remove setuid permissions
linuxRemove setuid root permissions from seatd-launch binary to prevent privilege escalation
sudo chmod u-s /usr/bin/seatd-launch
Uninstall seatd
linuxRemove seatd package if not needed
sudo apt remove seatd
sudo yum remove seatd
🧯 If You Can't Patch
- Remove setuid permissions from seatd-launch binary
- Implement strict access controls to limit local user access to affected systems
🔍 How to Verify
Check if Vulnerable:
Check seatd version: 'seatd --version' or 'dpkg -l | grep seatd' or 'rpm -qa | grep seatd'. If version is 0.6.0-0.6.3 and seatd-launch has setuid bit, system is vulnerable.Check Version:
seatd --version 2>/dev/null || dpkg -l seatd 2>/dev/null || rpm -q seatd 2>/dev/nullVerify Fix Applied:
Verify seatd version is 0.6.4 or later: 'seatd --version'. Check seatd-launch permissions: 'ls -la /usr/bin/seatd-launch' should not show 's' in permissions.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in system logs
- Failed attempts to access privileged files by unprivileged users
Network Indicators:
- No network indicators - local vulnerability only
SIEM Query:
Process execution of seatd-launch with unusual arguments or by unexpected users🔗 References
- https://github.com/kennylevinsen/seatd/commit/10658dc5439db429af0088295a051c53925a4416
- https://github.com/kennylevinsen/seatd/commit/7cffe0797fdb17a9c08922339465b1b187394335
- https://github.com/kennylevinsen/seatd/compare/0.6.3...0.6.4
- https://github.com/kennylevinsen/seatd/tags
- https://lists.sr.ht/~kennylevinsen/seatd-announce/%3CETEO7R.QG8B1KGD531R1%40kl.wtf%3E
- https://nvd.nist.gov/vuln/detail/CVE-2022-25643
- https://github.com/kennylevinsen/seatd/commit/10658dc5439db429af0088295a051c53925a4416
- https://github.com/kennylevinsen/seatd/commit/7cffe0797fdb17a9c08922339465b1b187394335
- https://github.com/kennylevinsen/seatd/compare/0.6.3...0.6.4
- https://github.com/kennylevinsen/seatd/tags
- https://lists.sr.ht/~kennylevinsen/seatd-announce/%3CETEO7R.QG8B1KGD531R1%40kl.wtf%3E
- https://nvd.nist.gov/vuln/detail/CVE-2022-25643
