CVE-2018-20834
Arbitrary File Overwrite vulnerability in tar (npm)
What is CVE-2018-20834 About?
Versions of `tar` prior to 4.4.2 (for 4.x) and 2.2.2 (for 2.x) are vulnerable to Arbitrary File Overwrite. This vulnerability allows attackers to overwrite system files when extracting specially crafted tarballs. Exploitation is relatively straightforward for an attacker who can provide a malicious tarball to a vulnerable system.
Affected Software
- tar
- >3.0.0, <4.4.2
- <2.2.2
Technical Details
The vulnerability exists because the tar utility mishandles hardlinks within tar archives. An attacker can craft a tarball containing two entries: a hardlink pointing to an existing file on the victim's system, and a regular file with the same name as the hardlink (and thus, the target system file). When this malicious tarball is extracted by a vulnerable tar utility, it first creates the hardlink, and then – incorrectly – overwrites the content of the system file that the hardlink points to with the content of the second, identically named file from the archive. This happens due to a logical flaw in how tar resolves and processes hardlinked entries during extraction.
What is the Impact of CVE-2018-20834?
Successful exploitation may allow attackers to overwrite arbitrary files on the system, leading to denial of service, privilege escalation, or even remote code execution if critical system files are targeted.
What is the Exploitability of CVE-2018-20834?
Exploitation requires the attacker to provide a specially crafted tarball to a system that uses a vulnerable version of tar for extraction. The complexity is low, as crafting the tarball is relatively simple. No authentication is typically required for the act of extracting the tarball itself, though the ability to get the tarball onto the system and trigger its extraction might implicitly involve some level of access. Privilege requirements depend on the target file; overwriting a file owned by a privileged user might require the tar process to run with those privileges. This is generally considered a local vulnerability if the attacker must manually extract the file, but it can be remote if the system automatically extracts uploaded or received tarballs. The most significant risk factor is an application or service that automatically extracts untrusted tar archives.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-20834?
About the Fix from Resolved Security
This patch restricts file overwriting during tar file extraction to only files with a single hard link (nlink ≤ 1), avoiding reuse of files linked elsewhere. This prevents an attacker from crafting a tar that overwrites shared files through hardlinks, fixing CVE-2018-20834 by making sure unpacking cannot unintentionally modify other files with additional links.
Available Upgrade Options
- tar
- <2.2.2 → Upgrade to 2.2.2
- tar
- >3.0.0, <4.4.2 → Upgrade to 4.4.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://hackerone.com/reports/344595
- https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d
- https://osv.dev/vulnerability/GHSA-j44m-qm6p-hp7m
- https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8
- https://access.redhat.com/errata/RHSA-2019:1821
- https://github.com/npm/node-tar/compare/58a8d43...a5f7779
- https://github.com/isaacs/node-tar
- https://github.com/npm/node-tar/commits/v2.2.2
- https://nvd.nist.gov/vuln/detail/CVE-2018-20834
- https://nvd.nist.gov/vuln/detail/CVE-2018-20834
What are Similar Vulnerabilities to CVE-2018-20834?
Similar Vulnerabilities: CVE-2001-0414 , CVE-2015-2836 , CVE-2000-0935 , CVE-2001-0268 , CVE-2002-0941
