CVE-2022-48337
📋 TL;DR
CVE-2022-48337 is a command injection vulnerability in GNU Emacs' etags utility that allows attackers to execute arbitrary commands via shell metacharacters in source-code filenames. This affects users who run etags commands (particularly 'etags -u *' as suggested in documentation) in directories containing untrusted files. The vulnerability has a CVSS score of 9.8 due to its potential for remote code execution with high impact.
💻 Affected Systems
- GNU Emacs
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the privileges of the user running etags, potentially leading to lateral movement, data exfiltration, or ransomware deployment.
Likely Case
Local privilege escalation or arbitrary command execution in development environments where etags processes untrusted source code files.
If Mitigated
Limited impact if users don't run etags on untrusted files and follow principle of least privilege.
🎯 Exploit Status
Exploitation requires convincing a user to run etags on malicious filenames. The vulnerability is well-documented with public proof-of-concept available in commit references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Emacs 28.3 and later
Vendor Advisory: https://lists.gnu.org/archive/html/emacs-devel/2023-01/msg00123.html
Restart Required: No
Instructions:
1. Update Emacs to version 28.3 or later. 2. For package managers: 'sudo apt update && sudo apt upgrade emacs' (Debian/Ubuntu) or 'sudo yum update emacs' (RHEL/Fedora). 3. Verify installation with 'emacs --version'.
🔧 Temporary Workarounds
Avoid etags on untrusted directories
allDo not run etags commands in directories containing untrusted files or filenames.
Use alternative tagging tools
linuxReplace etags with ctags or other tagging utilities that are not vulnerable.
sudo apt install universal-ctags
Use 'ctags' instead of 'etags'
🧯 If You Can't Patch
- Restrict etags usage through policy or permissions - remove execute permissions from etags binary for non-privileged users
- Implement file integrity monitoring on etags binary and alert on execution in suspicious contexts
🔍 How to Verify
Check if Vulnerable:
Check Emacs version: 'emacs --version' and verify if it's 28.2 or earlier. Also check if etags binary exists and is from vulnerable Emacs package.Check Version:
emacs --version | head -1Verify Fix Applied:
After update, verify 'emacs --version' shows 28.3 or later. Test with known safe filenames containing shell metacharacters to ensure no command execution occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution following etags commands
- Shell commands with unexpected arguments spawned from etags process
Network Indicators:
- Outbound connections from etags process (unexpected)
SIEM Query:
process_name:etags AND (process_args:*;* OR process_args:*&* OR process_args:*|* OR process_args:*`*)🔗 References
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c
- https://lists.debian.org/debian-lts-announce/2023/05/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK/
- https://www.debian.org/security/2023/dsa-5360
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c
- https://lists.debian.org/debian-lts-announce/2023/05/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK/
- https://www.debian.org/security/2023/dsa-5360
