CVE-2022-41973 Overview
CVE-2022-41973 is a symlink attack vulnerability in multipath-tools versions 0.7.7 through 0.9.x before 0.9.2 that allows local users to obtain root access. This vulnerability, often exploited in conjunction with CVE-2022-41974, stems from incorrect symlink handling in the multipathd daemon. Local users with access to /dev/shm can manipulate symlinks to achieve controlled file writes outside the intended directory, ultimately enabling local privilege escalation to root.
Critical Impact
Local privilege escalation to root through symlink manipulation in multipathd, allowing complete system compromise when combined with CVE-2022-41974.
Affected Products
- opensvc multipath-tools (versions 0.7.7 through 0.9.x before 0.9.2)
- fedoraproject fedora (version 36)
- debian debian_linux (version 10.0)
Discovery Timeline
- October 29, 2022 - CVE-2022-41973 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-41973
Vulnerability Analysis
This vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack. The multipathd daemon, which manages multipath devices in Linux environments, fails to properly validate and handle symbolic links when performing operations within the /dev/shm shared memory directory.
The attack requires local access to the target system, specifically the ability to read and write to /dev/shm. An attacker can create or modify symbolic links that the multipathd process follows during its normal operations. Because multipathd runs with elevated privileges (typically as root), any file writes it performs through these malicious symlinks occur with root permissions, allowing the attacker to write arbitrary content to privileged locations on the filesystem.
When combined with CVE-2022-41974 (an authorization bypass vulnerability), this symlink attack becomes significantly more dangerous, as it provides a reliable path from an unprivileged local user to full root access.
Root Cause
The root cause lies in the multipathd daemon's failure to implement proper symlink resolution and validation before file access operations. When processing paths within /dev/shm, the daemon does not verify whether the target is a symbolic link pointing outside the intended directory boundary. This allows Time-of-Check Time-of-Use (TOCTOU) style attacks where an attacker can race to replace a legitimate file with a symlink between when multipathd checks the path and when it performs the write operation.
Attack Vector
The attack is local in nature, requiring the attacker to have an existing account on the target system with access to the /dev/shm directory (a standard world-writable tmpfs mount on most Linux systems).
The exploitation chain typically involves:
- An attacker creates a symbolic link in /dev/shm pointing to a privileged file location (such as /etc/passwd, /etc/shadow, or files in /etc/sudoers.d/)
- The attacker triggers multipathd to perform a write operation that follows this symlink
- Due to insufficient path validation, multipathd writes data to the attacker-controlled destination with root privileges
- The attacker leverages this arbitrary file write to establish persistent root access
For detailed technical analysis of this vulnerability and its exploitation, see the Qualys Analysis on Leeloo Multipath and Packet Storm Exploit Analysis.
Detection Methods for CVE-2022-41973
Indicators of Compromise
- Suspicious symbolic links created in /dev/shm pointing to sensitive system files such as /etc/passwd, /etc/shadow, or sudoers configuration files
- Unexpected modifications to system configuration files with timestamps correlating to multipathd activity
- New user accounts or modified sudo permissions that cannot be attributed to legitimate administrative actions
- Evidence of symlink creation followed by multipathd file operations in system logs
Detection Strategies
- Monitor /dev/shm for creation of symbolic links, especially those pointing outside the shared memory directory
- Implement file integrity monitoring on critical system files (/etc/passwd, /etc/shadow, /etc/sudoers, /etc/sudoers.d/)
- Audit multipathd process activity using Linux audit framework (auditd) to track file operations
- Deploy endpoint detection rules that correlate symlink creation with subsequent privileged file writes
Monitoring Recommendations
- Enable comprehensive logging for multipathd daemon operations
- Configure audit rules to monitor symlink system calls (symlink, symlinkat) in /dev/shm
- Implement real-time alerting on unauthorized modifications to authentication and authorization files
- Use SentinelOne's behavioral AI to detect privilege escalation patterns indicative of symlink exploitation
How to Mitigate CVE-2022-41973
Immediate Actions Required
- Upgrade multipath-tools to version 0.9.2 or later immediately on all affected systems
- Restrict access to /dev/shm where operationally feasible through mount options
- Review system logs for evidence of prior exploitation attempts
- Audit user accounts and sudo configurations for unauthorized changes
Patch Information
The vulnerability has been addressed in multipath-tools version 0.9.2. Organizations should apply vendor-specific security updates as soon as possible:
- OpenSVC: Upgrade to multipath-tools 0.9.2 or later
- Debian: Apply DSA-5366 security update; see also Debian LTS Announcement
- Fedora: Apply the Fedora Package Update
- Gentoo: Apply GLSA 202311-06
- SUSE: See Bug Report #1202739 for patch details
Workarounds
- If immediate patching is not possible, consider restricting multipathd access by limiting which users can interact with the service
- Mount /dev/shm with the nosymfollow option if supported by your kernel version to prevent symlink traversal
- Implement mandatory access control (SELinux/AppArmor) policies to confine multipathd file operations
- Monitor and alert on any symlink creation within /dev/shm as a compensating control
# Example: Check current multipath-tools version
multipathd -k 'show version'
# Example: Apply updates on Debian-based systems
sudo apt update && sudo apt upgrade multipath-tools
# Example: Apply updates on Fedora/RHEL-based systems
sudo dnf update device-mapper-multipath
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
