In most cases, the issue does not pose a significant risk, as the attacker must already have sudo access. However, the issue can potentially lead to a denial of service (DOS) scenario, where an application using SSSM is configured to require Sudo access and can only be administered via Sudo.
CVE-2017-3237 One example of an application that might be vulnerable to this issue is the S3 backup/restore agent for Amazon Elasticsearch Service (Amazon ESS), as the agent can be configured to require Sudo access.
In addition to being exploitable via Sudo access, this issue can also be used to escalate privileges to root.
Resolution
See the vendor's bulletin for resolution.
Products Affected
The following products are confirmed to be vulnerable:
- Amazon Elasticsearch Service (Amazon ESS)
Vulnerability Details
A vulnerability was discovered in the way SSSM handled a retry when performing operations on files with the same name. This is due to an unspecified defect in the file name comparison code. An attacker could exploit this issue by using a specially crafted filename that would cause an application using SSSM to perform unintended actions.
SSSM is vulnerable to this attack if it has an application configured to require Sudo access and can only be administered via Sudo, such as the backup/restore agent for Amazon Elasticsearch Service (Amazon ESS).
Sudo vulnerability example
A possible scenario where an attacker could exploit the issue is if they have access to Sudo and they are granted additional privileges in a privileged container. The attacker would then be able to escalate their privileges by exploiting the issue.
One example of an application that might be vulnerable to this issue is the S3 backup/restore agent for Amazon Elasticsearch Service (Amazon ESS), as the agent can be configured to require Sudo access.
Timeline
Published on: 04/20/2022 10:15:00 UTC
Last modified on: 05/03/2022 19:52:00 UTC