Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhnd3AtNHZwNC1xbW0y

Local Privilege Escalation in cloudflared

In cloudflared versions < 2020.8.1 (corresponding to 0.0.0-20200820025921-9323844ea773 on pkg.go.dev) on Windows, if an administrator has started cloudflared and set it to read configuration files from a certain directory, an unprivileged user can exploit a misconfiguration in order to escalate privileges and execute system-level commands. The misconfiguration was due to the way that cloudflared reads its configuration file. One of the locations that cloudflared reads from (C:\etc) is not a secure by default directory due to the fact that Windows does not enforce access controls on this directory without further controls applied. A malformed config.yaml file can be written by any user. Upon reading this config, cloudflared would output an error message to a log file defined in the malformed config. The user-controlled log file location could be set to a specific location that Windows will execute when any user logs in.

Permalink: https://github.com/advisories/GHSA-hgwp-4vp4-qmm2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhnd3AtNHZwNC1xbW0y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: almost 2 years ago

CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00042
EPSS Percentile: 0.05089

Identifiers: GHSA-hgwp-4vp4-qmm2, CVE-2020-24356
References:

• https://github.com/cloudflare/cloudflared/security/advisories/GHSA-hgwp-4vp4-qmm2
• https://nvd.nist.gov/vuln/detail/CVE-2020-24356
• https://github.com/cloudflare/cloudflared/commit/9323844ea773b1444460fa09295ab8c01a88d97e
• https://github.com/advisories/GHSA-hgwp-4vp4-qmm2

Repository: https://github.com/cloudflare/cloudflared
Blast Radius: 3.7

Affected Packages