Privilege Escalation Affecting github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel package, versions <2020.8.1
Attack Complexity
High
Confidentiality
High
Integrity
High
Availability
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-GOLANG-GITHUBCOMCLOUDFLARECLOUDFLAREDCMDCLOUDFLAREDTUNNEL-1296549
-
published
25 May 2021
-
disclosed
24 May 2021
-
credit
AgentBTZ
Introduced: 24 May 2021
CVE-2020-24356 Open this link in a new tabHow to fix?
Upgrade github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel to version 2020.8.1 or higher.
Overview
github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel is an Argo Tunnel client.
Affected versions of this package are vulnerable to Privilege Escalation. On Windows, if an administrator has set cloudflared to read configuration files from a certain directory, an unprivileged user can exploit a misconfiguration in order to escalate privileges and execute system-level commands. The misconfiguration is due to the way that cloudflared reads its configuration file.
One of the locations that cloudflared reads from (C:\etc\) is not a secure by default directory due to the fact that Windows does not enforce access controls on this directory without further controls applied. A malformed config.yaml file can be written by any user.