CVE-2022-1348 Overview
A vulnerability was discovered in logrotate affecting how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.
Critical Impact
An unprivileged local attacker can exploit improper file permissions to lock the logrotate state file, causing a denial of service by preventing all log rotation operations across the system.
Affected Products
- logrotate versions before 3.20.0
- Fedora 35
- Fedora 36
Discovery Timeline
- 2022-05-25 - CVE-2022-1348 published to NVD
- 2025-06-09 - Last updated in NVD database
Technical Details for CVE-2022-1348
Vulnerability Analysis
This vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource). The core issue lies in how logrotate handles the creation of its state file, which serves as a critical synchronization mechanism to prevent multiple logrotate instances from running simultaneously.
When logrotate initializes and the state file does not already exist, the application creates this file with world-readable permissions (typically 0644 or similar). This permissive file creation allows any unprivileged user on the system to read and potentially manipulate the file. More critically, since the state file utilizes file locking to coordinate between logrotate instances, an unprivileged attacker can acquire and hold a lock on this file indefinitely.
By maintaining this lock, the attacker prevents legitimate logrotate processes from acquiring the necessary lock to perform log rotation. This results in a denial of service condition where logs are never rotated, potentially leading to disk space exhaustion, loss of log data due to size limits, or system instability.
Root Cause
The root cause is improper permission assignment during state file creation. When logrotate creates a new state file (typically located at /var/lib/logrotate/logrotate.status or similar paths), it fails to set restrictive permissions that would prevent unprivileged users from accessing the file. The file should be created with permissions that only allow the root user or the logrotate service account to read and write to it.
Attack Vector
The attack can be executed by any local user with access to the system. The attacker identifies the location of the logrotate state file and either waits for it to be created with weak permissions or triggers its creation. Once the file exists with world-readable permissions, the attacker opens the file and acquires a file lock using standard POSIX locking mechanisms (such as flock() or fcntl()).
By holding this lock indefinitely (for example, through a simple script that opens the file and sleeps), the attacker prevents all subsequent logrotate executions from acquiring the lock. Since logrotate is typically run via cron jobs on a schedule, every scheduled rotation attempt will fail to acquire the lock and exit without performing any rotation.
The vulnerability requires local access with low privileges and no user interaction, making it straightforward for malicious insiders or compromised low-privilege accounts to exploit.
Detection Methods for CVE-2022-1348
Indicators of Compromise
- Unusual file locks held on /var/lib/logrotate/logrotate.status or /var/lib/logrotate.status by non-root processes
- Log files growing beyond expected sizes without rotation occurring
- Failed logrotate executions in system logs indicating inability to acquire state file lock
- Persistent processes from unprivileged users holding open handles to logrotate state files
Detection Strategies
- Monitor logrotate execution logs for repeated failures to acquire the state file lock
- Implement file integrity monitoring on the logrotate state file to detect unexpected access patterns
- Use lsof or similar tools to periodically check for processes holding locks on the state file
- Alert on disk space utilization anomalies in log directories that could indicate rotation failures
Monitoring Recommendations
- Configure monitoring for logrotate cron job exit codes and execution status
- Set up alerts for log directories approaching capacity thresholds
- Implement audit logging on the logrotate state file to track access by unprivileged users
- Monitor system logs for repeated logrotate lock acquisition failures
How to Mitigate CVE-2022-1348
Immediate Actions Required
- Upgrade logrotate to version 3.20.0 or later which addresses this vulnerability
- Verify and correct permissions on existing state files to be accessible only by root
- Review Fedora package updates if running Fedora 35 or 36
Patch Information
The vulnerability has been addressed in logrotate version 3.20.0. Organizations should update to this version or later to receive the fix. Additional information is available through the Red Hat Bug Report for CVE-2022-1348 and the Openwall OSS Security Advisory. Fedora users can obtain updated packages through the standard Fedora package repositories.
Workarounds
- Manually set restrictive permissions on the state file: chmod 600 /var/lib/logrotate/logrotate.status
- Ensure the state file is owned by root: chown root:root /var/lib/logrotate/logrotate.status
- Move the state file to a directory only accessible by root if the default location is world-accessible
- Implement a monitoring script to detect and alert on unauthorized locks on the state file
# Configuration example: Secure the logrotate state file permissions
chmod 600 /var/lib/logrotate/logrotate.status
chown root:root /var/lib/logrotate/logrotate.status
# Verify no unauthorized processes hold locks on the state file
lsof /var/lib/logrotate/logrotate.status
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
