openSUSE Tumbleweed cyrus-imapd Privilege Escalation Vulnerability

A vulnerability allowing privilege escalation from the cyrus user to root has been identified in openSUSE Tumbleweed cyrus-imapd versions prior to 3.8.4-2.1. This issue arises from a symbolic link following vulnerability in a SUSE-specific backup script that runs with root privileges, while operating in directories controlled by the unprivileged cyrus service user. A compromised cyrus account can exploit this by placing a symlink to sensitive files, such as the shadow file, leading to unauthorized access to privileged information.

Impact

Exploitation of this vulnerability allows for full local privilege escalation, enabling a cyrus user to gain root access.

Reproduction

The vulnerability can be reproduced by creating a symbolic link in a directory controlled by the cyrus user, pointing to a sensitive file such as /etc/shadow. Once the symlink is in place, the daily backup script will follow the link and expose the contents of the shadow file, effectively escalating privileges to root.

Remediation

The cyrus-imapd service should be configured to run with cyrus user privileges instead of root. Additionally, the backup script should be modified to avoid operating with full root privileges.