SUSE Manager Proxy Path Traversal Vulnerability Allowing Arbitrary File Write and Delete
Vulnerability
A path traversal vulnerability has been identified in the SUSE Manager Proxy tftpsync/add and tftpsync/delete scripts. This vulnerability allows remote attackers on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. The issue arises because the scripts fail to properly sanitize user-provided directory and file_name parameters, explicitly allowing absolute paths. As a result, attackers can manipulate file uploads to overwrite critical PXE boot configurations or hijack the provisioning process of new servers.
Impact
Exploitation of this vulnerability could lead to unauthorized file modifications or deletions, with potential disruption of server provisioning processes, according to SUSE.
Reproduction
The vulnerability can be reproduced by sending a request to the tftpsync/add or tftpsync/delete endpoint with a crafted directory parameter that includes absolute paths. This bypasses the intended TFTP boot directory and allows files to be written or deleted in locations controlled by the attacker.
Remediation
Users can update to the latest SUSE Manager Proxy or SUSE Manager Server versions, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.