WhiteBeam Whitelist Bypass Vulnerability

A vulnerability allowing users with local access to a server running WhiteBeam versions 0.2.0 through 0.2.1 to bypass the allow-list functionality has been identified. This is achieved by truncating a file in the OpenFileDescriptor action before the VerifyCanWrite action is executed. As a result, arbitrary files can be truncated with sufficient privileges on Linux, including WhiteBeam startup files.

Impact

Exploitation of this vulnerability allows for whitelisting bypass, which could lead to unauthorized actions or modifications within the application.

Reproduction

To reproduce this vulnerability, a user must have local access to a server running WhiteBeam version 0.2.0, 0.2.1, or an earlier version within the 0.2.0 to 0.2.1 range. Once access is obtained, the user can leverage the OpenFileDescriptor action to truncate files before the VerifyCanWrite action is applied. This can be done by using the fopen, fopen64, or truncate64 functions, which are part of the Essential whitelist. The FORTIFY_SOURCE variants of these functions may also be used to achieve a similar bypass.

Remediation

Users can upgrade to WhiteBeam version 0.2.2, in which this vulnerability has been patched.