Ubuntu Patches sslh Symlink Vulnerability Enabling Arbitrary File Overwrite
Ubuntu has released a security update addressing a symlink handling flaw in sslh that could allow local attackers to overwrite arbitrary files. The vulnerability stems from improper PID file handling and affects systems running vulnerable versions of the protocol multiplexer.
TL;DR
- sslh fails to safely handle symbolic links when writing PID files, creating a local privilege escalation vector
- Attackers with local access can exploit this to overwrite arbitrary files on the system
- Ubuntu USN-8360-1 patches the vulnerability across affected releases
- Immediate patching recommended for systems running sslh in multi-user environments
Ubuntu has released security notice USN-8360-1 addressing a local privilege escalation vulnerability in sslh, a protocol multiplexer commonly used to run multiple services on a single port. The flaw involves improper handling of symbolic links during PID file creation, a common attack surface in Unix-like systems.
The vulnerability allows a local attacker to exploit the symlink behavior to overwrite arbitrary files on the system. This type of attack is particularly dangerous in shared hosting environments or multi-user systems where local access is easier to obtain. The issue underscores the importance of secure file operations when handling system-critical files like PID files.
Technical Details of the Symlink Vulnerability
- sslh improperly validates symbolic links when creating or writing to its PID file
- Local attackers can create symlinks pointing to sensitive system files or application files
- When sslh writes its PID, the symlink causes data to be written to the attacker-controlled target file
- This bypasses normal file permission checks by exploiting the trust relationship between sslh and the filesystem
Risk Assessment and Mitigation
- Primary risk vector is local privilege escalation on systems where sslh runs with elevated privileges
- Systems with restricted local access or running sslh in containers have reduced exposure
- Ubuntu users should apply USN-8360-1 patch immediately to affected releases
- Best practice: verify PID file location is in a secure directory with restrictive permissions
Defensive Recommendations
- Update sslh to the patched version provided in Ubuntu security notice USN-8360-1
- Review system logs for suspicious PID file access or unexpected file modifications
- Audit local user accounts and restrict shell access where possible
- Monitor sslh process behavior and file system activity in production environments
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.