Executive Summary

This vulnerability exists in Archive::Tar versions before 3.08 for Perl, where the module extracts hardlinks from a tar archive without properly validating the link targets. Specifically, the _make_special_file() function passes the tar header's linkname to the link() system call without checking if the path is absolute or contains directory traversal sequences like "..". This allows an attacker to create hardlinks that point outside the intended extraction directory, sharing the inode of victim files.

As a result, when the extracted file is written to, it modifies the victim file outside the extraction directory. Additionally, the post-extraction operations that change file mode, ownership, and timestamps are applied to the shared inode, potentially altering sensitive files unintentionally.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized modification of files outside the extraction directory by an attacker supplying a malicious tar archive. Because hardlinks share the same inode, writing to the extracted file can overwrite or corrupt victim files elsewhere on the system.

Such unauthorized file modifications can compromise system integrity, lead to data loss, or allow privilege escalation if critical system or configuration files are altered.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the extraction of hardlinks to attacker-controlled paths outside the intended extraction directory by Archive::Tar versions before 3.08 for Perl.

Detection can focus on monitoring extraction activities for suspicious hardlink creations that point outside the extraction directory, especially those involving absolute paths or directory traversal sequences like "..".

Since the vulnerability is related to the _make_special_file() function passing unvalidated linknames to link(), you can check for unexpected hardlink creations or inode sharing between extracted files and files outside the extraction directory.

Commands to help detect this might include:

• Using 'find' to locate hardlinks created recently during extraction, for example: find /extraction/path -type f -links +1 -exec ls -li {} +
• Checking inode numbers of extracted files and comparing them to files outside the extraction directory to identify shared inodes.
• Monitoring logs or enabling debug output in Archive::Tar if running in SECURE EXTRACT MODE to detect and log attempts to extract hardlinks or symlinks with absolute or traversal paths.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Archive::Tar to version 3.08 or later, where validation for symlink and hardlink targets has been added in SECURE EXTRACT MODE.

If upgrading is not immediately possible, avoid extracting untrusted tar archives using vulnerable versions of Archive::Tar.

Enable SECURE EXTRACT MODE if supported, which includes checks to prevent extraction of symlinks or hardlinks with absolute paths or directory traversal sequences.

Review and restrict permissions on directories where extraction occurs to limit potential damage from malicious hardlinks.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Archive::Tar versions before 3.08 allows extraction of hardlinks to attacker-controlled paths outside the intended extraction directory. This can lead to unauthorized modification of files on the victim system.

Such unauthorized file modifications and potential data integrity breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data confidentiality, integrity, and access controls.

Specifically, if sensitive personal or health data is stored on affected systems, this vulnerability could lead to unauthorized data alteration or exposure, violating regulatory requirements for data protection and security.

Useful 0 Not Useful 0