CVE-2024-45339 Overview
CVE-2024-45339 is a symlink attack vulnerability affecting the Go glog logging library. When logs are written to a widely-writable directory (the default configuration), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file, potentially leading to arbitrary file overwrites with elevated privileges.
Critical Impact
Unprivileged attackers can leverage predictable log file paths to overwrite sensitive system files through symlink exploitation, potentially compromising system integrity or escalating privileges.
Affected Products
- glog (Go logging library) - versions prior to the security fix
- Applications using glog with default log directory configurations
- Debian Linux systems (addressed in LTS security announcement)
Discovery Timeline
- 2025-01-28 - CVE CVE-2024-45339 published to NVD
- 2025-02-17 - Last updated in NVD database
Technical Details for CVE-2024-45339
Vulnerability Analysis
This vulnerability represents a classic Time-of-Check to Time-of-Use (TOCTOU) race condition combined with insecure temporary file handling. The glog library's default behavior writes log files to widely-writable directories without verifying the integrity of the target file path. This design flaw enables attackers to exploit the predictable nature of log file naming conventions.
The attack exploits a fundamental trust assumption in the logging process: that the log file path points to a legitimate location rather than a symbolic link. When a privileged process (running as root or with elevated capabilities) initializes logging through glog, it attempts to create or open a log file at a predetermined path. An attacker who can anticipate this path can race to create a symbolic link pointing to a sensitive file such as /etc/passwd, /etc/shadow, or critical application configuration files.
The impact includes unauthorized file overwrites leading to potential denial of service, privilege escalation, or system compromise. The local attack vector requires the attacker to have local access to the system but only unprivileged access is needed to exploit this vulnerability.
Root Cause
The root cause lies in glog's insufficient validation of log file paths before writing. The library did not check whether the target log file already exists or whether it is a symbolic link pointing elsewhere. This oversight in the file creation logic allows attackers to plant malicious symlinks that redirect privileged write operations to arbitrary files on the filesystem.
The fix implemented in the glog library now causes the program to exit with status code 2 when it detects that the configured log file already exists, preventing the symlink attack from succeeding.
Attack Vector
The attack requires local access to the system where a vulnerable glog-using application runs with elevated privileges. The attacker follows this exploitation flow:
- The attacker identifies an application using glog that runs with elevated privileges
- The attacker determines the predictable log file path by analyzing the application's logging configuration or default glog behavior
- Before the privileged process starts, the attacker creates a symbolic link at the expected log file path pointing to a sensitive target file (e.g., /etc/passwd)
- When the privileged application initializes and attempts to write logs, it follows the symlink and overwrites the target sensitive file
- The attacker achieves arbitrary file overwrite with the privileges of the target application
This attack pattern is documented in the OWASP Temporary File Vulnerability guide and represents a well-known class of vulnerabilities in applications that handle temporary or log files in shared directories.
Detection Methods for CVE-2024-45339
Indicators of Compromise
- Unexpected symbolic links in log directories pointing to sensitive system files
- Unexplained modifications to critical configuration files like /etc/passwd or /etc/shadow
- Applications using glog terminating unexpectedly with exit code 2 (after patching)
- Audit logs showing symlink creation in common log directories by unprivileged users
Detection Strategies
- Monitor log directories for symlink creation events using file integrity monitoring tools
- Implement auditd rules to track symbolic link creation in /tmp, /var/log, and other commonly used log directories
- Review application startup failures for exit code 2, which may indicate the patched glog detecting a pre-existing file attack attempt
- Scan for glog library versions in your application dependencies to identify vulnerable deployments
Monitoring Recommendations
- Deploy file integrity monitoring (FIM) on sensitive system files that could be targeted for overwrite
- Configure SentinelOne endpoint protection to detect and alert on suspicious symlink creation patterns
- Enable detailed audit logging for privileged process activity and file operations in shared directories
- Monitor for applications that unexpectedly crash or exit during logging initialization
How to Mitigate CVE-2024-45339
Immediate Actions Required
- Update glog library to the patched version containing the security fix from GitHub Pull Request #74
- Audit applications to identify those using glog and prioritize updates for privileged services
- Review log directory permissions and restrict write access where possible
- Configure applications to use dedicated log directories with restricted permissions rather than widely-writable locations
Patch Information
The vulnerability has been addressed in the glog library through a fix that causes the program to exit with status code 2 when it detects that the configured log file already exists. This defensive measure prevents the symlink attack from succeeding.
For detailed patch information, refer to:
- GitHub Pull Request #74 - Main security fix
- GitHub Pull Request Commit - Specific commit containing the fix
- Go.dev Vulnerability Report GO-2025-3372 - Official Go vulnerability database entry
- Debian LTS Security Announcement - Debian-specific patch information
Workarounds
- Configure glog to write to a dedicated directory with restrictive permissions (e.g., mode 0750) owned by the application user
- Mount log directories with the nosymfollow option where supported to prevent symlink following
- Use systemd's ProtectSystem and PrivateTmp directives for services using glog to isolate log directories
- Implement pre-execution checks in application startup scripts to verify log directory integrity before launching privileged processes
# Configuration example - Secure log directory setup
# Create dedicated log directory with restrictive permissions
mkdir -p /var/log/myapp
chown myapp:myapp /var/log/myapp
chmod 0750 /var/log/myapp
# Verify no symlinks exist before starting application
find /var/log/myapp -type l -exec rm {} \;
# Start application with explicit log directory
./myapp --log_dir=/var/log/myapp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
