How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows local privilege escalation to root by unprivileged users, potentially enabling unauthorized access to sensitive data or system controls.

Such unauthorized privilege escalation and potential data exposure could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

This vulnerability affects the Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS. It is a time-of-check to time-of-use (TOCTOU) based local privilege escalation issue. The GPA service creates an inter-process communication (IPC) socket in the world-writable /tmp directory and accepts unauthenticated IPC control messages. An attacker can exploit the HandleSaveLogs() function by creating a log file and then manipulating it into a symbolic link pointing to a targeted file. This allows an unprivileged local user to make arbitrary root-owned files world-writable.

Additionally, a diagnostic collection tool called gimmelogs, which runs with root privileges, is vulnerable to command injection from the dbstore, providing a second vector for privilege escalation. On Windows, while gimmelogs does not have the command injection issue, it can write a ZIP archive to an unintended location.

The affected versions are Akamai Guardicore Platform Agent 7.0 through 7.3.1 and Akamai Zero Trust Client 6.0 through 6.1.5.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow an unprivileged local user to escalate their privileges to root level on affected systems. Specifically, it enables attackers to make root-owned files world-writable, potentially compromising system integrity and security.

The command injection vulnerability in the gimmelogs tool further increases the risk by allowing attackers to execute arbitrary commands with root privileges.

Overall, exploitation of this vulnerability can lead to full system compromise, unauthorized access to sensitive data, and disruption of normal operations.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS, specifically versions GPA 7.0 through 7.3.1 and Zero Trust Client 6.0 through 6.1.5. Detection would focus on identifying these versions installed on your systems.

Since the vulnerability exploits a TOCTOU issue with an IPC socket in the world-writable /tmp directory and unauthenticated IPC control messages, you can check for the presence of the GPA service and its IPC socket in /tmp.

• Check for the GPA service process: `ps aux | grep guardicore`
• Look for IPC sockets in /tmp related to GPA: `ls -l /tmp | grep guardicore` or `ss -xl | grep /tmp`
• Verify installed package versions for Akamai Guardicore Platform Agent and Zero Trust Client to confirm if they fall within the vulnerable versions.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading the Akamai Guardicore Platform Agent and Zero Trust Client to versions later than those affected (beyond GPA 7.3.1 and Zero Trust Client 6.1.5) once patches are available.

Until patches are applied, restrict access to the /tmp directory to prevent exploitation of the world-writable IPC socket, and monitor for suspicious activity related to the GPA service.

Additionally, limit local user permissions to reduce the risk of local privilege escalation.

Useful 0 Not Useful 0