CVE-2022-21658 Overview
CVE-2022-21658 is a race condition vulnerability (CWE-363, CWE-367) affecting the std::fs::remove_dir_all function in the Rust standard library. This Time-of-Check Time-of-Use (TOCTOU) vulnerability enables symlink following during directory removal operations. An attacker could exploit this race condition to trick a privileged program into deleting files and directories that the attacker would not otherwise have permission to access or delete.
The vulnerability affects Rust versions 1.0.0 through 1.58.0, with the fix released in version 1.58.1. The Rust Security Response Working Group identified this issue and coordinated the disclosure and patch. Programs running with elevated privileges, such as system daemons and setuid binaries, are at the highest risk of exploitation.
Critical Impact
Privileged programs using std::fs::remove_dir_all can be tricked into following symlinks and deleting arbitrary files and directories, potentially leading to system compromise or data loss.
Affected Products
- Rust-lang Rust versions 1.0.0 through 1.58.0
- Fedoraproject Fedora 34 and 35
- Apple iPadOS, iOS, macOS, tvOS, and watchOS (various versions)
Discovery Timeline
- 2022-01-20 - CVE-2022-21658 published to NVD
- 2022-01-20 - Rust-lang releases security patch in version 1.58.1
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21658
Vulnerability Analysis
The vulnerability exists in the std::fs::remove_dir_all function, which is designed to recursively delete a directory and all its contents. The function was susceptible to a classic TOCTOU race condition where an attacker could replace a directory with a symbolic link between the time the function checks the target and when it performs the deletion operation.
When a privileged program calls remove_dir_all on a directory, there is a window of opportunity where an attacker can replace a subdirectory with a symlink pointing to a sensitive location (such as system directories or other users' files). The function would then follow the symlink and delete the contents of the linked target, effectively allowing unprivileged users to delete files they should not have access to.
This vulnerability requires local access and specific timing, but the impact is significant when exploited against privileged processes. The attack is particularly dangerous for setuid binaries and system daemons that routinely clean up temporary directories.
Root Cause
The root cause is a Time-of-Check Time-of-Use (TOCTOU) race condition in the directory traversal logic of std::fs::remove_dir_all. The function did not properly prevent symlink following during the recursive deletion process. Between checking whether an entry is a directory and actually removing its contents, an attacker could swap a directory for a symlink, causing the privileged process to follow the symlink and delete unintended targets.
The Rust standard library advisory notes that adding checks in application code before calling remove_dir_all does not mitigate the vulnerability, as such checks would be equally vulnerable to the same race condition.
Attack Vector
The attack requires local access to the system where a privileged program uses remove_dir_all. The attacker must be able to create symlinks in a location where the privileged program will traverse during its directory removal operation. The attack sequence involves:
- Identifying a privileged program that uses std::fs::remove_dir_all on user-controllable paths
- Creating a directory structure that the program will attempt to delete
- Racing against the deletion operation to replace a subdirectory with a symlink pointing to a target location
- If successful, the privileged program follows the symlink and deletes the target contents
The vulnerability requires precise timing and repeated attempts may be necessary, but exploitation is feasible particularly against programs that perform cleanup operations on predictable paths or schedules.
Detection Methods for CVE-2022-21658
Indicators of Compromise
- Unexpected file or directory deletions in privileged or system locations
- Presence of symlinks in directories that are targets of recursive deletion by privileged processes
- Audit logs showing privileged processes accessing unexpected file paths via symlink redirection
- System integrity failures or missing configuration files following privileged program execution
Detection Strategies
- Monitor file system operations for privileged processes that perform recursive directory deletions, particularly when symlinks are involved
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized deletions
- Review application logs and system audit trails for unusual deletion patterns or access to unintended paths
- Scan Rust application binaries and dependencies to identify versions prior to 1.58.1
Monitoring Recommendations
- Enable comprehensive audit logging for privileged processes, tracking file operations including symlink resolution
- Deploy SentinelOne endpoint protection to detect and alert on suspicious file system activity patterns
- Implement real-time monitoring for symlink creation in directories used by privileged cleanup processes
- Establish baseline behaviors for privileged daemons and setuid binaries to identify anomalous file operations
How to Mitigate CVE-2022-21658
Immediate Actions Required
- Upgrade Rust toolchain to version 1.58.1 or later immediately, prioritizing systems running privileged Rust applications
- Rebuild all Rust applications compiled with affected toolchain versions (1.0.0 through 1.58.0)
- Audit privileged applications and system daemons to identify those using std::fs::remove_dir_all
- Review system permissions to minimize the attack surface for local privilege escalation attempts
Patch Information
The fix is included in Rust version 1.58.1, released on January 20, 2022. The patch implements proper symlink-safe directory removal by using platform-specific APIs where available. For detailed patch implementation, refer to the Rust Pull Request #93110 and the official Rust blog post.
Note that some platforms do not have usable APIs to properly mitigate the attack and remain vulnerable even with a patched toolchain: macOS versions before 10.10 (Yosemite) and REDOX. Users on these platforms should implement additional safeguards.
Apple has also addressed this vulnerability in their operating systems through security updates HT213182, HT213183, HT213186, and HT213193.
Workarounds
- Avoid using std::fs::remove_dir_all on user-controllable paths in privileged contexts until the toolchain is updated
- Run privileged cleanup processes with minimal necessary privileges using principle of least privilege
- Implement application-level restrictions that prevent operations on directories containing symlinks where feasible
- Consider using containerization or sandboxing to limit the blast radius of potential symlink attacks
# Check current Rust version and upgrade if necessary
rustc --version
# Update Rust toolchain to latest version
rustup update stable
# Verify updated version (should be 1.58.1 or later)
rustc --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
