CVE-2023-32190
📋 TL;DR
This vulnerability in mlocate's %post script allows the RUN_UPDATEDB_AS user to make arbitrary files world-readable by exploiting insecure file operations that run with root privileges. This affects systems using mlocate with the RUN_UPDATEDB_AS feature enabled, potentially exposing sensitive files to unauthorized users.
💻 Affected Systems
- mlocate
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with RUN_UPDATEDB_AS privileges could make sensitive system files (like /etc/shadow, SSH keys, configuration files) world-readable, leading to complete system compromise through credential theft or privilege escalation.
Likely Case
Local users with RUN_UPDATEDB_AS access could read sensitive files they shouldn't have access to, potentially exposing confidential data or gaining information for further attacks.
If Mitigated
With proper access controls and minimal privileges for RUN_UPDATEDB_AS users, impact is limited to files already accessible to that user account.
🎯 Exploit Status
Exploitation requires local access and RUN_UPDATEDB_AS privileges. The vulnerability is well-documented with proof-of-concept available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by distribution - check vendor advisories
Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32190
Restart Required: No
Instructions:
1. Check your distribution's security advisories. 2. Update mlocate package using your package manager (yum update mlocate, apt-get update && apt-get upgrade mlocate, etc.). 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable RUN_UPDATEDB_AS feature
linuxRemove or restrict the RUN_UPDATEDB_AS configuration to prevent exploitation
# Edit /etc/updatedb.conf and remove or comment out RUN_UPDATEDB_AS line
# Or set RUN_UPDATEDB_AS to 'root' only
Restrict file permissions
linuxEnsure sensitive files have proper permissions to limit exposure
# Review and tighten permissions on sensitive files
chmod 600 /etc/shadow
chmod 600 /etc/gshadow
# Review other sensitive configuration files
🧯 If You Can't Patch
- Disable the RUN_UPDATEDB_AS feature entirely in /etc/updatedb.conf
- Implement strict access controls and monitor for unauthorized file access attempts
🔍 How to Verify
Check if Vulnerable:
Check if RUN_UPDATEDB_AS is configured in /etc/updatedb.conf and if mlocate version is unpatchedCheck Version:
rpm -q mlocate # RHEL/CentOS/Fedora/SUSE
dpkg -l | grep mlocate # Debian/UbuntuVerify Fix Applied:
Verify mlocate package version matches patched version from vendor advisory and test that RUN_UPDATEDB_AS user cannot make arbitrary files world-readable📡 Detection & Monitoring
Log Indicators:
- Unexpected file permission changes by updatedb processes
- RUN_UPDATEDB_AS user accessing files outside normal scope
- Audit logs showing chmod operations by mlocate processes
Network Indicators:
- N/A - local vulnerability
SIEM Query:
process_name:"updatedb" AND (file_permission_change OR file_access_pattern:/etc/shadow|/root/.ssh/)