openSUSE sdbootutil Insecure Temporary File Vulnerability Allowing Data Manipulation and Information Access

A vulnerability in openSUSE sdbootutil has been identified, allowing local users to exploit an insecure temporary file issue. This vulnerability arises from the use of a predictable temporary directory in a systemd service, which can be pre-created by users to access private information in '/var/lib/pcrlock.d', manipulate backup data in '/tmp/pcrlock.d.bak', or overwrite protected system files by using symlinks. The issue affects sdbootutil versions prior to a specific commit in the Tumbleweed release.

Impact

Exploitation of this vulnerability could lead to unauthorized access to private information, manipulation of critical backup data, and overwriting of protected system files, potentially causing system instability or data loss.

Reproduction

The vulnerability can be reproduced by pre-creating the '/tmp/pcrlock.d.bak' directory. Once this directory is in place, the 'sdbootutil-update-predictions.service' can be executed, which will inadvertently use the pre-created directory for backups. This process can then be exploited to access private information, alter backup data, or overwrite system files by placing symlinks in the directory tree.

Remediation

It is recommended to modify the systemd service to use a secure, unpredictable directory for backups, such as one created with 'mktemp -d', or to check for the existence of the directory and error out if it already exists.