Executive Summary

This vulnerability exists in Steeltoe.Configuration.Abstractions versions 4.0.0 through 4.1.0. When MySQL or PostgreSQL service bindings from VCAP_SERVICES include TLS client credentials, the Connectors library writes those credentials to temporary files in the system's temporary directory using File.CreateText.

On Linux systems, File.CreateText creates files with permissions mode 0644, which means the files are world-readable under the process umask. Additionally, these temporary files containing sensitive TLS client credentials are never deleted, exposing them to unauthorized access by other users or processes.

The same key material is protected more securely at mode 0400 in the process environment, but the temporary files in /tmp are less protected. This issue was fixed in Steeltoe.Configuration.Abstractions version 4.2.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of TLS client credentials used for MySQL or PostgreSQL service bindings. Because the credentials are written to world-readable temporary files that are never deleted, other users or processes on the same system or container could read these sensitive files.

Exposure of TLS client credentials can compromise the security of database connections, potentially allowing attackers to impersonate legitimate clients, intercept or manipulate data, or gain unauthorized access to the database.

If an immediate upgrade to version 4.2.0 is not possible, it is recommended to prevent other processes from running in the container under a different user ID that has access to the temporary directory to mitigate the risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves temporary files containing TLS client credentials being created in the system's temporary directory with world-readable permissions and not being deleted. To detect this issue, you can check for such files in the temporary directory that contain sensitive key material.

• Run a command to list files in the temporary directory with permissions that allow world-read access, for example: ls -l /tmp
• Search for files created by the Steeltoe process or related to MySQL/PostgreSQL service bindings that may contain TLS credentials.
• Use commands like grep or strings to inspect temporary files for TLS client credential patterns.

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to upgrade Steeltoe.Configuration.Abstractions to version 4.2.0 or later, where the issue is patched.

If an immediate upgrade is not possible, prevent other processes from running in the container under a different user ID (UID) that has access to the temporary directory (/tmp). This limits exposure of the sensitive temporary files.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes TLS client credentials to be written to temporary files with world-readable permissions on Linux systems, and these files are never deleted. This exposure of sensitive key material could lead to unauthorized access to confidential data.

Such exposure of sensitive credentials may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and credentials to prevent unauthorized access and data breaches.

Steeltoe.Configuration.Abstractions version 4.2.0 patches this issue, and until an upgrade is possible, it is recommended to prevent other processes from running under different UIDs with access to the temporary directory to mitigate the risk.

Useful 0 Not Useful 0