CVE-2021-29428 Overview
CVE-2021-29428 is a local privilege escalation vulnerability in Gradle versions prior to 7.0 affecting Unix-like systems. The flaw stems from the system temporary directory being created with overly permissive settings, enabling multiple users to create and delete files within it. An attacker with local access can exploit this condition by rapidly deleting and recreating files in the system temporary directory during Gradle build processes.
Critical Impact
Local attackers can escalate privileges by manipulating temporary files during Gradle builds, potentially compromising build integrity and gaining elevated access on affected Unix-like systems.
Affected Products
- Gradle versions prior to 7.0
- Quarkus (dependent on vulnerable Gradle versions)
- Builds using precompiled script plugins written in Kotlin DSL
Discovery Timeline
- 2021-04-13 - CVE-2021-29428 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-29428
Vulnerability Analysis
This vulnerability represents a Time-of-Check Time-of-Use (TOCTOU) race condition combined with insecure file permissions in Unix-like operating systems. The attack specifically impacts builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit.
The vulnerability does not affect Windows systems or modern versions of macOS. Additionally, Unix-like systems with the "sticky" bit set on the system temporary directory are protected from exploitation. The sticky bit ensures that only the original user (or root) can delete files, preventing the rapid file manipulation required for this attack.
Root Cause
The root cause is CWE-378: Creation of Temporary File With Insecure Permissions. When Gradle creates temporary files during build processes, the system temporary directory may be configured with open permissions (e.g., 777 without the sticky bit) on certain Unix-like systems. This allows any local user to read, write, and delete files in the temporary directory, creating a race condition opportunity.
Attack Vector
The attack requires local access to the target system. An attacker monitors the system temporary directory for Gradle build activity and exploits the race condition by quickly deleting legitimate temporary files and replacing them with malicious content. This manipulation occurs between the time Gradle checks the file and when it uses the file contents.
The attack mechanism involves the following steps:
- The attacker gains local access to a Unix-like system running Gradle builds
- The attacker monitors the system temporary directory (/tmp or similar) for Gradle-created files
- During a build, the attacker rapidly deletes a legitimate temporary file
- The attacker immediately recreates the file with malicious content
- Gradle processes the attacker-controlled file, potentially executing with elevated privileges
For detailed technical information, refer to the GitHub Security Advisory GHSA-89qm-pxvm-p336.
Detection Methods for CVE-2021-29428
Indicators of Compromise
- Unusual file creation and deletion activity in the system temporary directory during Gradle builds
- Unexpected changes in file ownership or permissions for temporary files
- Build failures or unexpected behavior when using Kotlin DSL precompiled script plugins
- Evidence of rapid file manipulation in /tmp or other temporary directories
Detection Strategies
- Monitor system temporary directories for suspicious file operations during build processes
- Implement file integrity monitoring for critical temporary files created by Gradle
- Audit local user activity for patterns consistent with TOCTOU exploitation
- Check Gradle version across development and build systems to identify vulnerable installations
Monitoring Recommendations
- Enable audit logging for file operations in the system temporary directory
- Configure alerts for rapid file creation/deletion sequences in /tmp
- Monitor build server logs for unexpected failures in Kotlin DSL plugin compilation
- Implement endpoint detection for local privilege escalation patterns
How to Mitigate CVE-2021-29428
Immediate Actions Required
- Upgrade Gradle to version 7.0 or later to receive the security patch
- Verify the "sticky" bit is set on the system temporary directory (chmod +t /tmp)
- Review all build environments for vulnerable Gradle versions
- Consider moving the Java temporary directory to a more secure location
Patch Information
Gradle has released version 7.0 which addresses this vulnerability. The fix is documented in the Gradle 7.0 Release Notes Security Advisories. The patches were implemented via GitHub Pull Request #15240 and GitHub Pull Request #15654.
Workarounds
- Set the sticky bit on Unix-like operating systems using chmod +t /tmp to restrict file deletion to file owners
- Redirect the Java temporary directory by setting the System Property java.io.tmpdir to a path with restricted permissions
- Ensure the alternative temporary directory limits permissions to the build user only
- For containerized builds, use private temporary directories with appropriate permission restrictions
# Configuration example
# Set the sticky bit on the system temporary directory
chmod +t /tmp
# Alternatively, set a custom Java temporary directory with restricted permissions
mkdir -p /secure/tmp/gradle
chmod 700 /secure/tmp/gradle
export JAVA_OPTS="-Djava.io.tmpdir=/secure/tmp/gradle"
# Verify sticky bit is set (look for 't' in permissions)
ls -ld /tmp
# Expected output: drwxrwxrwt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
