CVE: CVE-2020-27833

Export to Word

A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first created pointing within the tarball, this allows further symbolic links to bypass the existing path check. This flaw allows the tarball to create links outside the tarball's parent directory, allowing for executables or configuration files to be overwritten, resulting in arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions up to and including openshift-clients-4.7.0-202104250659.p0.git.95881af are affected.

Threat-Mapped Scoring

Score: 1.8

Priority: P4 - Informational (Low)

S9 – Sabotage of System/App

EPSS

Score: 0.0013
Percentile: 0.33394

CVSS Scoring

CVSS v3.1 Score: 7.1

Severity: HIGH

Mapped CWE(s)

CWE-20 : Improper Input Validation
CWE-59 : Improper Link Resolution Before File Access ('Link Following')

All CAPEC(s)

CAPEC-10: Buffer Overflow via Environment Variables
CAPEC-101: Server Side Include (SSI) Injection
CAPEC-104: Cross Zone Scripting
CAPEC-108: Command Line Execution through SQL Injection
CAPEC-109: Object Relational Mapping Injection
CAPEC-110: SQL Injection through SOAP Parameter Tampering
CAPEC-120: Double Encoding
CAPEC-13: Subverting Environment Variable Values
CAPEC-132: Symlink Attack
CAPEC-135: Format String Injection
CAPEC-136: LDAP Injection
CAPEC-14: Client-side Injection-induced Buffer Overflow
CAPEC-153: Input Data Manipulation
CAPEC-17: Using Malicious Files
CAPEC-182: Flash Injection
CAPEC-209: XSS Using MIME Type Mismatch
CAPEC-22: Exploiting Trust in Client
CAPEC-23: File Content Injection
CAPEC-230: Serialized Data with Nested Payloads
CAPEC-231: Oversized Serialized Data Payloads
CAPEC-24: Filter Failure through Buffer Overflow
CAPEC-250: XML Injection
CAPEC-261: Fuzzing for garnering other adjacent user/sensitive data
CAPEC-267: Leverage Alternate Encoding
CAPEC-28: Fuzzing
CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
CAPEC-35: Leverage Executable Code in Non-Executable Files
CAPEC-42: MIME Conversion
CAPEC-43: Exploiting Multiple Input Interpretation Layers
CAPEC-45: Buffer Overflow via Symbolic Links
CAPEC-46: Overflow Variables and Tags
CAPEC-47: Buffer Overflow via Parameter Expansion
CAPEC-473: Signature Spoof
CAPEC-52: Embedding NULL Bytes
CAPEC-53: Postfix, Null Terminate, and Backslash
CAPEC-588: DOM-Based XSS
CAPEC-63: Cross-Site Scripting (XSS)
CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC-664: Server Side Request Forgery
CAPEC-67: String Format Overflow in syslog()
CAPEC-7: Blind SQL Injection
CAPEC-71: Using Unicode Encoding to Bypass Validation Logic
CAPEC-72: URL Encoding
CAPEC-73: User-Controlled Filename
CAPEC-76: Manipulating Web Input to File System Calls
CAPEC-78: Using Escaped Slashes in Alternate Encoding
CAPEC-79: Using Slashes in Alternate Encoding
CAPEC-8: Buffer Overflow in an API Call
CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic
CAPEC-81: Web Server Logs Tampering
CAPEC-83: XPath Injection
CAPEC-85: AJAX Footprinting
CAPEC-88: OS Command Injection
CAPEC-9: Buffer Overflow in Local Command-Line Utilities

CAPEC(s) with Mapped TTPs

CAPEC-13: Subverting Environment Variable Values
Mapped TTPs:
- T1562.003 : Impair Command History Logging
- T1574.006 : Dynamic Linker Hijacking
- T1574.007 : Path Interception by PATH Environment Variable
CAPEC-132: Symlink Attack
Mapped TTPs:
- T1547.009 : Shortcut Modification
CAPEC-17: Using Malicious Files
Mapped TTPs:
- T1574.005 : Executable Installer File Permissions Weakness
- T1574.010 : Services File Permissions Weakness
CAPEC-267: Leverage Alternate Encoding
Mapped TTPs:
- T1027 : Obfuscated Files or Information
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
Mapped TTPs:
- T1539 : Steal Web Session Cookie
CAPEC-35: Leverage Executable Code in Non-Executable Files
Mapped TTPs:
- T1027.006 : HTML Smuggling
- T1027.009 : Embedded Payloads
- T1564.009 : Resource Forking
CAPEC-473: Signature Spoof
Mapped TTPs:
- T1036.001 : Invalid Code Signature
- T1553.002 : Code Signing

Mapped ATT&CK TTPs

T1562.003 : Impair Command History Logging
Kill Chain: defense-evasion
T1574.006 : Dynamic Linker Hijacking
Kill Chain: persistence
T1574.007 : Path Interception by PATH Environment Variable
Kill Chain: persistence
T1547.009 : Shortcut Modification
Kill Chain: persistence
T1574.005 : Executable Installer File Permissions Weakness
Kill Chain: persistence
T1574.010 : Services File Permissions Weakness
Kill Chain: persistence
T1027 : Obfuscated Files or Information
Kill Chain: defense-evasion
T1539 : Steal Web Session Cookie
Kill Chain: credential-access
T1027.006 : HTML Smuggling
Kill Chain: defense-evasion
T1027.009 : Embedded Payloads
Kill Chain: defense-evasion
T1564.009 : Resource Forking
Kill Chain: defense-evasion
T1036.001 : Invalid Code Signature
Kill Chain: defense-evasion
T1553.002 : Code Signing
Kill Chain: defense-evasion

Malware

APTs Threat Group Associations

Campaigns

APT41 DUST
ArcaneDoor
SolarWinds Compromise
Operation Honeybee
2016 Ukraine Electric Power Attack
RedDelta Modified PlugX Infection Chain Operations
Operation Dream Job
C0015
C0021
C0017

Affected Products

cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*

← Back to Home