SecureDrop Client Path Traversal Vulnerability in Qubes VM Log Handling

A path traversal vulnerability has been identified in the SecureDrop Client's logging mechanism within the Qubes-based SecureDrop Workstation. This issue affects SecureDrop Client versions through 0.14.0 and Workstation versions through 1.0.0. The vulnerability allows an attacker with existing code execution in a virtual machine (VM) that logs to the 'sd-log' VM to manipulate log entries. By sending a crafted log entry, the attacker could execute code in the 'sd-log' VM, which is isolated from the internet but collects logs from other VMs for support and debugging purposes. The exploitation takes advantage of unsanitized VM names in the logging process, potentially overwriting logs or executing code by manipulating log files as 'desktop' entries in the XFCE environment.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution in the 'sd-log' virtual machine, allowing an attacker to manipulate log files and potentially execute malicious payloads.

Reproduction

To reproduce this vulnerability, an attacker must first gain code execution in a virtual machine that is configured to log to the 'sd-log' VM. Once this is established, the attacker can send a log entry that includes a crafted VM name, exploiting the path traversal flaw to execute code in the 'sd-log' VM. This can be done by directing the 'sd-log' VM to write a file named 'syslog.log' with controlled content into a directory that XFCE treats as containing 'desktop' files, such as '/home/user/.config/autostart/'.

Remediation

Users can upgrade to SecureDrop Client versions 0.14.1 or 1.0.1, both of which include a patch for this vulnerability.