Vulnerability Name:

CVE-2020-10174 (CCN-177314)

Assigned:2020-03-05
Published:2020-03-05
Updated:2022-01-01
Summary:init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely reuses a preexisting temporary directory in the predictable location /tmp/timeshift. It follows symlinks in this location or uses directories owned by unprivileged users. Because Timeshift also executes scripts under this location, an attacker can attempt to win a race condition to replace scripts created by Timeshift with attacker-controlled scripts. Upon success, an attacker-controlled script is executed with full root privileges. This logic is practically always triggered when Timeshift runs regardless of the command-line arguments used.
CVSS v3 Severity:7.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-362
CWE-59
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2020-10174

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20200306 CVE-2020-10174: timeshift: arbitrary local code execution due to unsafe usage of temporary directory in /tmp/timeshift

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1165802

Source: XF
Type: UNKNOWN
timeshift-cve202010174-code-exec(177314)

Source: CCN
Type: Timeshift GIT Repository
Change TEMP_DIR permissions and path; Cleanup on exit;

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/teejee2008/timeshift/releases/tag/v20.03

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-1050d60507

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-6b3ae09449

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-c18248f61a

Source: CCN
Type: oss-sec Mailing List, Fri, 6 Mar 2020 14:46:35 +0100
CVE-2020-10174: timeshift: arbitrary local code execution due to unsafe usage of temporary directory in /tmp/timeshift

Source: UBUNTU
Type: Third Party Advisory
USN-4312-1

Vulnerable Configuration:Configuration 1:
  • cpe:/a:timeshift_project:timeshift:*:*:*:*:*:*:*:* (Version < 20.03)

  • Configuration 2:
  • cpe:/o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    timeshift_project timeshift *
    fedoraproject fedora 30
    fedoraproject fedora 31
    fedoraproject fedora 32
    canonical ubuntu linux 19.10