util-linux SUID Binary /usr/bin/mount TOCTOU Vulnerability Allowing Unauthorized Access to Root-Owned Files

A TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux, prior to version 2.41.4. The vulnerability arises when the mount binary, while setting up loop devices, validates the source file path with user privileges but then re-canonicalizes and opens it with root privileges without ensuring that the path has not been altered in the interim. This oversight allows a local unprivileged user to replace the source file with a symlink to any root-owned file or device, exploiting the race condition to gain unauthorized access to sensitive data. The issue has been patched in version 2.41.4.

Impact

Exploitation of this vulnerability allows for unauthorized read access to root-protected files and block devices, including sensitive data such as backup images, disk volumes, and any file containing a valid filesystem.

Reproduction

To reproduce this vulnerability, create an /etc/fstab entry with user,loop options pointing to a writable directory. Ensure that /usr/bin/mount has the SUID bit set, which is the default on most Linux distributions. The exploit involves replacing the legitimate file with a symlink to a root-owned file during the race window, after the path has been validated but before it is opened with root privileges.

Remediation

Users can update to util-linux version 2.41.4 or later, where this vulnerability has been patched.