Compliance Impact

The vulnerability in the mv utility's handling of extended attributes during cross-device moves can lead to inconsistent or insecure states of security-sensitive metadata such as SELinux labels or file capabilities.

While the issue primarily affects correctness and security of file metadata, it may indirectly impact compliance with standards like GDPR or HIPAA if these rely on the integrity and security of file attributes to enforce access controls or data protection policies.

Specifically, if privileged processes move files containing sensitive data and rely on extended attributes for security enforcement, this TOCTOU flaw could cause security labels to be inconsistent or incorrect, potentially leading to unauthorized access or data exposure.

Therefore, organizations subject to such regulations should consider this vulnerability as a risk to maintaining proper security controls on sensitive data, which is a key aspect of compliance.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) issue in the mv utility of uutils coreutils when performing cross-device moves. The problem arises because the extended attribute (xattr) preservation logic uses multiple path-based system calls that each perform a fresh path-to-inode lookup. A local attacker who has write access to the directory can exploit this timing window to swap files between these calls, causing the destination file to end up with a mixed set of security extended attributes, such as SELinux labels or file capabilities.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is that an attacker with local write access to the directory can cause the destination file to receive inconsistent or incorrect security extended attributes. This can lead to improper security labeling or capabilities being assigned to files, potentially allowing unauthorized access or privilege escalation within the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a race condition in the mv utility's handling of extended attributes during cross-device moves. Detection involves observing inconsistent or unexpected extended attribute values on files moved across filesystems.

A practical approach to detect this issue is to monitor or test the behavior of the mv command when moving files with security-sensitive extended attributes (such as SELinux labels or file capabilities) across filesystem boundaries.

One can attempt to reproduce the race condition by repeatedly modifying extended attributes on a source file while moving it across filesystems and then checking the destination file's xattrs for inconsistencies.

Commands that may help in detection include:

• Using `getfattr -d <filename>` to list extended attributes before and after moving files.
• Using `setfattr` to modify extended attributes repeatedly on a source file.
• Using `mv` to move files across different mounted filesystems.
• Scripting a loop that modifies xattrs and moves files to observe inconsistent xattr states on the destination.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable mv utility for cross-device moves involving files with security-sensitive extended attributes.

Instead, use alternative methods or tools that handle extended attributes atomically or use inode-based operations rather than path-based lookups.

Restrict write access to directories where such moves occur to trusted users only, reducing the risk of exploitation by local attackers.

Monitor for updates or patches from the uutils coreutils project and apply them as soon as they become available to fix the TOCTOU issue.

Useful 0 Not Useful 0