一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep multipath[d] root 377 1 0 13:55 ? 00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep multipathd u_str LISTEN 0 4096 @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, list is 1 (1<<0), add is 2 (1<<1), and path (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163 r += add_key(keys, list , LIST, 0);164 r += add_key(keys, show , LIST, 0);165 r += add_key(keys, add , ADD, 0);...183 r += add_key(keys, path , PATH, 1);------------------------------------------------------------------------ 53 #define LIST (1ULL << __LIST) 54 #define ADD (1ULL << __ADD) .. 69 #define PATH (1ULL << __PATH)------------------------------------------------------------------------ 6 enum { 7 __LIST, /* 0 */ 8 __ADD, .. 23 __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command list path PARAM is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command add path PARAM is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527 set_handler_callback(LIST+PATH, cli_list_path);....1549 set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325 uint64_t fp = 0;...331 vector_foreach_slot(vec, kw, i)332 fp += kw->code;333 334 return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95 vector_foreach_slot (handlers, h, i) 96 if (h->fingerprint == fp) 97 return h; 98 99 return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485 case CLT_PARSE:486 c->error = parse_cmd(c);487 if (!c->error) {...491 if (!c->is_root && kw->code != LIST) {492 c->error = -EPERM;...495 }496 }497 if (c->error)...501 else502 set_client_state(c, CLT_WORK);...522 case CLT_WORK:523 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client s UID (obtained from SO_PEERCRED) is 0 (i.e., if is_root is true), then the client is privileged; otherwise, it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute any commands; otherwise, only unprivileged LIST commands are allowed (i.e., commands whose first keyword is either list or show ).Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is list )but whose fingerprint matches a privileged command (by repeating the list keyword): we can exploit this flaw to bypass multipathd sauthorization check.For example, we are not allowed to execute add path PARAM (whosefingerprint is 2+65536=65538) because the first keyword is not list ,but we are allowed to execute the equivalent list list path PARAM (whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is list (the multipathd daemon below replies blacklisted because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.

漏洞公开时间：

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 |

| ------- | -------- |

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep multipath[d] root 377 1 0 13:55 ? 00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep multipathd u_str LISTEN 0 4096 @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, list is 1 (1<<0), add is 2 (1<<1), and path (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163 r += add_key(keys, list , LIST, 0);164 r += add_key(keys, show , LIST, 0);165 r += add_key(keys, add , ADD, 0);...183 r += add_key(keys, path , PATH, 1);------------------------------------------------------------------------ 53 #define LIST (1ULL << __LIST) 54 #define ADD (1ULL << __ADD) .. 69 #define PATH (1ULL << __PATH)------------------------------------------------------------------------ 6 enum { 7 __LIST, /* 0 */ 8 __ADD, .. 23 __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command list path PARAM is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command add path PARAM is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527 set_handler_callback(LIST+PATH, cli_list_path);....1549 set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325 uint64_t fp = 0;...331 vector_foreach_slot(vec, kw, i)332 fp += kw->code;333 334 return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95 vector_foreach_slot (handlers, h, i) 96 if (h->fingerprint == fp) 97 return h; 98 99 return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485 case CLT_PARSE:486 c->error = parse_cmd(c);487 if (!c->error) {...491 if (!c->is_root && kw->code != LIST) {492 c->error = -EPERM;...495 }496 }497 if (c->error)...501 else502 set_client_state(c, CLT_WORK);...522 case CLT_WORK:523 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client s UID (obtained from SO_PEERCRED) is 0 (i.e., if is_root is true), then the client is privileged; otherwise, it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute any commands; otherwise, only unprivileged LIST commands are allowed (i.e., commands whose first keyword is either list or show ).Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is list )but whose fingerprint matches a privileged command (by repeating the list keyword): we can exploit this flaw to bypass multipathd sauthorization check.For example, we are not allowed to execute add path PARAM (whosefingerprint is 2+65536=65538) because the first keyword is not list ,but we are allowed to execute the equivalent list list path PARAM (whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is list (the multipathd daemon below replies blacklisted because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.

漏洞公开时间：

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 |

| ------- | -------- |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep multipath[d] root 377 1 0 13:55 ? 00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep multipathd u_str LISTEN 0 4096 @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, list is 1 (1<<0), add is 2 (1<<1), and path (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163 r += add_key(keys, list , LIST, 0);164 r += add_key(keys, show , LIST, 0);165 r += add_key(keys, add , ADD, 0);...183 r += add_key(keys, path , PATH, 1);------------------------------------------------------------------------ 53 #define LIST (1ULL << __LIST) 54 #define ADD (1ULL << __ADD) .. 69 #define PATH (1ULL << __PATH)------------------------------------------------------------------------ 6 enum { 7 __LIST, /* 0 */ 8 __ADD, .. 23 __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command list path PARAM is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command add path PARAM is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527 set_handler_callback(LIST+PATH, cli_list_path);....1549 set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325 uint64_t fp = 0;...331 vector_foreach_slot(vec, kw, i)332 fp += kw->code;333 334 return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95 vector_foreach_slot (handlers, h, i) 96 if (h->fingerprint == fp) 97 return h; 98 99 return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485 case CLT_PARSE:486 c->error = parse_cmd(c);487 if (!c->error) {...491 if (!c->is_root && kw->code != LIST) {492 c->error = -EPERM;...495 }496 }497 if (c->error)...501 else502 set_client_state(c, CLT_WORK);...522 case CLT_WORK:523 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client s UID (obtained from SO_PEERCRED) is 0 (i.e., if is_root is true), then the client is privileged; otherwise, it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute any commands; otherwise, only unprivileged LIST commands are allowed (i.e., commands whose first keyword is either list or show ).Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is list )but whose fingerprint matches a privileged command (by repeating the list keyword): we can exploit this flaw to bypass multipathd sauthorization check.For example, we are not allowed to execute add path PARAM (whosefingerprint is 2+65536=65538) because the first keyword is not list ,but we are allowed to execute the equivalent list list path PARAM (whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is list (the multipathd daemon below replies blacklisted because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.

漏洞公开时间：

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 |

| ------- | -------- |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

漏洞公开时间：

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 |

| ------- | -------- |

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

Qualys Security Advisoryhttps://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txthttps://www.openwall.com/lists/oss-security/2022/10/24/2========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep multipath[d] root 377 1 0 13:55 ? 00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep multipathd u_str LISTEN 0 4096 @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, list is 1 (1<<0), add is 2 (1<<1), and path (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163 r += add_key(keys, list , LIST, 0);164 r += add_key(keys, show , LIST, 0);165 r += add_key(keys, add , ADD, 0);...183 r += add_key(keys, path , PATH, 1);------------------------------------------------------------------------ 53 #define LIST (1ULL << __LIST) 54 #define ADD (1ULL << __ADD) .. 69 #define PATH (1ULL << __PATH)------------------------------------------------------------------------ 6 enum { 7 __LIST, /* 0 */ 8 __ADD, .. 23 __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command list path PARAM is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command add path PARAM is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527 set_handler_callback(LIST+PATH, cli_list_path);....1549 set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325 uint64_t fp = 0;...331 vector_foreach_slot(vec, kw, i)332 fp += kw->code;333 334 return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95 vector_foreach_slot (handlers, h, i) 96 if (h->fingerprint == fp) 97 return h; 98 99 return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485 case CLT_PARSE:486 c->error = parse_cmd(c);487 if (!c->error) {...491 if (!c->is_root && kw->code != LIST) {492 c->error = -EPERM;...495 }496 }497 if (c->error)...501 else502 set_client_state(c, CLT_WORK);...522 case CLT_WORK:523 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client s UID (obtained from SO_PEERCRED) is 0 (i.e., if is_root is true), then the client is privileged; otherwise, it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute any commands; otherwise, only unprivileged LIST commands are allowed (i.e., commands whose first keyword is either list or show ).Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is list )but whose fingerprint matches a privileged command (by repeating the list keyword): we can exploit this flaw to bypass multipathd sauthorization check.For example, we are not allowed to execute add path PARAM (whosefingerprint is 2+65536=65538) because the first keyword is not list ,but we are allowed to execute the equivalent list list path PARAM (whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is list (the multipathd daemon below replies blacklisted because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.

漏洞公开时间：

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 |

| ------- | -------- |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

Qualys Security Advisoryhttps://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txthttps://www.openwall.com/lists/oss-security/2022/10/24/2========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep multipath[d] root 377 1 0 13:55 ? 00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep multipathd u_str LISTEN 0 4096 @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, list is 1 (1<<0), add is 2 (1<<1), and path (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163 r += add_key(keys, list , LIST, 0);164 r += add_key(keys, show , LIST, 0);165 r += add_key(keys, add , ADD, 0);...183 r += add_key(keys, path , PATH, 1);------------------------------------------------------------------------ 53 #define LIST (1ULL << __LIST) 54 #define ADD (1ULL << __ADD) .. 69 #define PATH (1ULL << __PATH)------------------------------------------------------------------------ 6 enum { 7 __LIST, /* 0 */ 8 __ADD, .. 23 __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command list path PARAM is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command add path PARAM is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527 set_handler_callback(LIST+PATH, cli_list_path);....1549 set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325 uint64_t fp = 0;...331 vector_foreach_slot(vec, kw, i)332 fp += kw->code;333 334 return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95 vector_foreach_slot (handlers, h, i) 96 if (h->fingerprint == fp) 97 return h; 98 99 return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485 case CLT_PARSE:486 c->error = parse_cmd(c);487 if (!c->error) {...491 if (!c->is_root && kw->code != LIST) {492 c->error = -EPERM;...495 }496 }497 if (c->error)...501 else502 set_client_state(c, CLT_WORK);...522 case CLT_WORK:523 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client s UID (obtained from SO_PEERCRED) is 0 (i.e., if is_root is true), then the client is privileged; otherwise, it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute any commands; otherwise, only unprivileged LIST commands are allowed (i.e., commands whose first keyword is either list or show ).Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is list )but whose fingerprint matches a privileged command (by repeating the list keyword): we can exploit this flaw to bypass multipathd sauthorization check.For example, we are not allowed to execute add path PARAM (whosefingerprint is 2+65536=65538) because the first keyword is not list ,but we are allowed to execute the equivalent list list path PARAM (whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is list (the multipathd daemon below replies blacklisted because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.

漏洞公开时间：

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 |

| ------- | -------- |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

Qualys Security Advisoryhttps://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txthttps://www.openwall.com/lists/oss-security/2022/10/24/2========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep multipath[d] root 377 1 0 13:55 ? 00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep multipathd u_str LISTEN 0 4096 @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, list is 1 (1<<0), add is 2 (1<<1), and path (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163 r += add_key(keys, list , LIST, 0);164 r += add_key(keys, show , LIST, 0);165 r += add_key(keys, add , ADD, 0);...183 r += add_key(keys, path , PATH, 1);------------------------------------------------------------------------ 53 #define LIST (1ULL << __LIST) 54 #define ADD (1ULL << __ADD) .. 69 #define PATH (1ULL << __PATH)------------------------------------------------------------------------ 6 enum { 7 __LIST, /* 0 */ 8 __ADD, .. 23 __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command list path PARAM is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command add path PARAM is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527 set_handler_callback(LIST+PATH, cli_list_path);....1549 set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325 uint64_t fp = 0;...331 vector_foreach_slot(vec, kw, i)332 fp += kw->code;333 334 return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95 vector_foreach_slot (handlers, h, i) 96 if (h->fingerprint == fp) 97 return h; 98 99 return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485 case CLT_PARSE:486 c->error = parse_cmd(c);487 if (!c->error) {...491 if (!c->is_root && kw->code != LIST) {492 c->error = -EPERM;...495 }496 }497 if (c->error)...501 else502 set_client_state(c, CLT_WORK);...522 case CLT_WORK:523 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client s UID (obtained from SO_PEERCRED) is 0 (i.e., if is_root is true), then the client is privileged; otherwise, it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute any commands; otherwise, only unprivileged LIST commands are allowed (i.e., commands whose first keyword is either list or show ).Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is list )but whose fingerprint matches a privileged command (by repeating the list keyword): we can exploit this flaw to bypass multipathd sauthorization check.For example, we are not allowed to execute add path PARAM (whosefingerprint is 2+65536=65538) because the first keyword is not list ,but we are allowed to execute the equivalent list list path PARAM (whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is list (the multipathd daemon below replies blacklisted because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.

漏洞公开时间：

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 |

| ------- | -------- |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 |

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

Qualys Security Advisoryhttps://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txthttps://www.openwall.com/lists/oss-security/2022/10/24/2========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep multipath[d] root 377 1 0 13:55 ? 00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep multipathd u_str LISTEN 0 4096 @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, list is 1 (1<<0), add is 2 (1<<1), and path (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163 r += add_key(keys, list , LIST, 0);164 r += add_key(keys, show , LIST, 0);165 r += add_key(keys, add , ADD, 0);...183 r += add_key(keys, path , PATH, 1);------------------------------------------------------------------------ 53 #define LIST (1ULL << __LIST) 54 #define ADD (1ULL << __ADD) .. 69 #define PATH (1ULL << __PATH)------------------------------------------------------------------------ 6 enum { 7 __LIST, /* 0 */ 8 __ADD, .. 23 __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command list path PARAM is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command add path PARAM is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527 set_handler_callback(LIST+PATH, cli_list_path);....1549 set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325 uint64_t fp = 0;...331 vector_foreach_slot(vec, kw, i)332 fp += kw->code;333 334 return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95 vector_foreach_slot (handlers, h, i) 96 if (h->fingerprint == fp) 97 return h; 98 99 return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485 case CLT_PARSE:486 c->error = parse_cmd(c);487 if (!c->error) {...491 if (!c->is_root && kw->code != LIST) {492 c->error = -EPERM;...495 }496 }497 if (c->error)...501 else502 set_client_state(c, CLT_WORK);...522 case CLT_WORK:523 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client s UID (obtained from SO_PEERCRED) is 0 (i.e., if is_root is true), then the client is privileged; otherwise, it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute any commands; otherwise, only unprivileged LIST commands are allowed (i.e., commands whose first keyword is either list or show ).Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is list )but whose fingerprint matches a privileged command (by repeating the list keyword): we can exploit this flaw to bypass multipathd sauthorization check.For example, we are not allowed to execute add path PARAM (whosefingerprint is 2+65536=65538) because the first keyword is not list ,but we are allowed to execute the equivalent list list path PARAM (whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is list (the multipathd daemon below replies blacklisted because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.

漏洞公开时间：

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 |

| ------- | -------- |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

Qualys Security Advisoryhttps://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txthttps://www.openwall.com/lists/oss-security/2022/10/24/2========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep multipath[d] root 377 1 0 13:55 ? 00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep multipathd u_str LISTEN 0 4096 @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, list is 1 (1<<0), add is 2 (1<<1), and path (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163 r += add_key(keys, list , LIST, 0);164 r += add_key(keys, show , LIST, 0);165 r += add_key(keys, add , ADD, 0);...183 r += add_key(keys, path , PATH, 1);------------------------------------------------------------------------ 53 #define LIST (1ULL << __LIST) 54 #define ADD (1ULL << __ADD) .. 69 #define PATH (1ULL << __PATH)------------------------------------------------------------------------ 6 enum { 7 __LIST, /* 0 */ 8 __ADD, .. 23 __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command list path PARAM is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command add path PARAM is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527 set_handler_callback(LIST+PATH, cli_list_path);....1549 set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325 uint64_t fp = 0;...331 vector_foreach_slot(vec, kw, i)332 fp += kw->code;333 334 return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95 vector_foreach_slot (handlers, h, i) 96 if (h->fingerprint == fp) 97 return h; 98 99 return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485 case CLT_PARSE:486 c->error = parse_cmd(c);487 if (!c->error) {...491 if (!c->is_root && kw->code != LIST) {492 c->error = -EPERM;...495 }496 }497 if (c->error)...501 else502 set_client_state(c, CLT_WORK);...522 case CLT_WORK:523 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client s UID (obtained from SO_PEERCRED) is 0 (i.e., if is_root is true), then the client is privileged; otherwise, it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute any commands; otherwise, only unprivileged LIST commands are allowed (i.e., commands whose first keyword is either list or show ).Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is list )but whose fingerprint matches a privileged command (by repeating the list keyword): we can exploit this flaw to bypass multipathd sauthorization check.For example, we are not allowed to execute add path PARAM (whosefingerprint is 2+65536=65538) because the first keyword is not list ,but we are allowed to execute the equivalent list list path PARAM (whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is list (the multipathd daemon below replies blacklisted because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.

漏洞公开时间：

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 |

| ------- | -------- |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

Qualys Security Advisoryhttps://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txthttps://www.openwall.com/lists/oss-security/2022/10/24/2========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep multipath[d] root 377 1 0 13:55 ? 00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep multipathd u_str LISTEN 0 4096 @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, list is 1 (1<<0), add is 2 (1<<1), and path (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163 r += add_key(keys, list , LIST, 0);164 r += add_key(keys, show , LIST, 0);165 r += add_key(keys, add , ADD, 0);...183 r += add_key(keys, path , PATH, 1);------------------------------------------------------------------------ 53 #define LIST (1ULL << __LIST) 54 #define ADD (1ULL << __ADD) .. 69 #define PATH (1ULL << __PATH)------------------------------------------------------------------------ 6 enum { 7 __LIST, /* 0 */ 8 __ADD, .. 23 __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command list path PARAM is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command add path PARAM is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527 set_handler_callback(LIST+PATH, cli_list_path);....1549 set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325 uint64_t fp = 0;...331 vector_foreach_slot(vec, kw, i)332 fp += kw->code;333 334 return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95 vector_foreach_slot (handlers, h, i) 96 if (h->fingerprint == fp) 97 return h; 98 99 return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485 case CLT_PARSE:486 c->error = parse_cmd(c);487 if (!c->error) {...491 if (!c->is_root && kw->code != LIST) {492 c->error = -EPERM;...495 }496 }497 if (c->error)...501 else502 set_client_state(c, CLT_WORK);...522 case CLT_WORK:523 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client s UID (obtained from SO_PEERCRED) is 0 (i.e., if is_root is true), then the client is privileged; otherwise, it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute any commands; otherwise, only unprivileged LIST commands are allowed (i.e., commands whose first keyword is either list or show ).Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is list )but whose fingerprint matches a privileged command (by repeating the list keyword): we can exploit this flaw to bypass multipathd sauthorization check.For example, we are not allowed to execute add path PARAM (whosefingerprint is 2+65536=65538) because the first keyword is not list ,but we are allowed to execute the equivalent list list path PARAM (whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is list (the multipathd daemon below replies blacklisted because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.

漏洞公开时间：

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

Qualys Security Advisoryhttps://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txthttps://www.openwall.com/lists/oss-security/2022/10/24/2========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep multipath[d] root 377 1 0 13:55 ? 00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep multipathd u_str LISTEN 0 4096 @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, list is 1 (1<<0), add is 2 (1<<1), and path (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163 r += add_key(keys, list , LIST, 0);164 r += add_key(keys, show , LIST, 0);165 r += add_key(keys, add , ADD, 0);...183 r += add_key(keys, path , PATH, 1);------------------------------------------------------------------------ 53 #define LIST (1ULL << __LIST) 54 #define ADD (1ULL << __ADD) .. 69 #define PATH (1ULL << __PATH)------------------------------------------------------------------------ 6 enum { 7 __LIST, /* 0 */ 8 __ADD, .. 23 __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command list path PARAM is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command add path PARAM is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527 set_handler_callback(LIST+PATH, cli_list_path);....1549 set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325 uint64_t fp = 0;...331 vector_foreach_slot(vec, kw, i)332 fp += kw->code;333 334 return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95 vector_foreach_slot (handlers, h, i) 96 if (h->fingerprint == fp) 97 return h; 98 99 return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485 case CLT_PARSE:486 c->error = parse_cmd(c);487 if (!c->error) {...491 if (!c->is_root && kw->code != LIST) {492 c->error = -EPERM;...495 }496 }497 if (c->error)...501 else502 set_client_state(c, CLT_WORK);...522 case CLT_WORK:523 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client s UID (obtained from SO_PEERCRED) is 0 (i.e., if is_root is true), then the client is privileged; otherwise, it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute any commands; otherwise, only unprivileged LIST commands are allowed (i.e., commands whose first keyword is either list or show ).Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is list )but whose fingerprint matches a privileged command (by repeating the list keyword): we can exploit this flaw to bypass multipathd sauthorization check.For example, we are not allowed to execute add path PARAM (whosefingerprint is 2+65536=65538) because the first keyword is not list ,but we are allowed to execute the equivalent list list path PARAM (whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is list (the multipathd daemon below replies blacklisted because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.

漏洞公开时间：

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

Qualys Security Advisoryhttps://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txthttps://www.openwall.com/lists/oss-security/2022/10/24/2========================================================================CVE-2022-41974: Authorization bypass========================================================================The multipathd daemon listens for client connections on an abstract Unixsocket (conveniently, the multipathd binary itself can act as a client,if executed with non-option arguments; we use this feature extensivelyin this advisory to connect and send commands to the multipathd daemon):------------------------------------------------------------------------$ ps -ef | grep multipath[d] root 377 1 0 13:55 ? 00:00:00 /sbin/multipathd -d -s$ ss -l -x | grep multipathd u_str LISTEN 0 4096 @/org/kernel/linux/storage/multipathd 18105------------------------------------------------------------------------The commands sent by a client to multipathd are composed of keywords,and internally, each keyword is identified by a different bit; forexample, list is 1 (1<<0), add is 2 (1<<1), and path (whichrequires a parameter) is 65536 (1<<16):------------------------------------------------------------------------155 load_keys (void)...163 r += add_key(keys, list , LIST, 0);164 r += add_key(keys, show , LIST, 0);165 r += add_key(keys, add , ADD, 0);...183 r += add_key(keys, path , PATH, 1);------------------------------------------------------------------------ 53 #define LIST (1ULL << __LIST) 54 #define ADD (1ULL << __ADD) .. 69 #define PATH (1ULL << __PATH)------------------------------------------------------------------------ 6 enum { 7 __LIST, /* 0 */ 8 __ADD, .. 23 __PATH,------------------------------------------------------------------------In turn, each command is associated with a handler (a C function) by itsfingerprint -- the bitwise OR of its constituent keywords; for example,the command list path PARAM is associated with cli_list_path() by thefingerprint 65537 (LIST+PATH=1+65536), and the command add path PARAM is associated with cli_add_path() by the fingerprint 65538(ADD+PATH=2+65536):------------------------------------------------------------------------1522 void init_handler_callbacks(void)....1527 set_handler_callback(LIST+PATH, cli_list_path);....1549 set_handler_callback(ADD+PATH, cli_add_path);------------------------------------------------------------------------321 static uint64_t322 fingerprint(const struct _vector *vec)...325 uint64_t fp = 0;...331 vector_foreach_slot(vec, kw, i)332 fp += kw->code;333 334 return fp;------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95 vector_foreach_slot (handlers, h, i) 96 if (h->fingerprint == fp) 97 return h; 98 99 return NULL;------------------------------------------------------------------------When multipathd receives a command from a client, it first performs anauthentication check and an authorization check (both at line 491):------------------------------------------------------------------------431 static int client_state_machine(struct client *c, struct vectors *vecs,...485 case CLT_PARSE:486 c->error = parse_cmd(c);487 if (!c->error) {...491 if (!c->is_root && kw->code != LIST) {492 c->error = -EPERM;...495 }496 }497 if (c->error)...501 else502 set_client_state(c, CLT_WORK);...522 case CLT_WORK:523 c->error = execute_handler(c, vecs);------------------------------------------------------------------------- Authentication: if the client s UID (obtained from SO_PEERCRED) is 0 (i.e., if is_root is true), then the client is privileged; otherwise, it is unprivileged.- Authorization: if the client is privileged, it is allowed to execute any commands; otherwise, only unprivileged LIST commands are allowed (i.e., commands whose first keyword is either list or show ).Attentive readers may have noticed that multipathd does not, in fact,calculate the fingerprint of a command by bitwise-ORing its constituentkeywords, but by arithmetic-ADDing them (at line 332). While these twooperations are equivalent if no keyword is repeated, we (attackers) cansend a seemingly unprivileged command (whose first keyword is list )but whose fingerprint matches a privileged command (by repeating the list keyword): we can exploit this flaw to bypass multipathd sauthorization check.For example, we are not allowed to execute add path PARAM (whosefingerprint is 2+65536=65538) because the first keyword is not list ,but we are allowed to execute the equivalent list list path PARAM (whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)because the first keyword is list (the multipathd daemon below replies blacklisted because PARAM is an invalid path, not because the commandis denied):------------------------------------------------------------------------$ multipathd add path PARAMpermission deny: need to be root$ multipathd list list path PARAMblacklisted------------------------------------------------------------------------This authorization bypass greatly enlarges the attack surface ofmultipathd: 34 privileged command handlers become available to localattackers, in addition to the 23 unprivileged command handlers that arenormally available. We audited only a few of these command handlers,because we quickly discovered a low-hanging vulnerability (a symlinkattack) in one of them.

漏洞公开时间：

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

| anolis | | https://anas.openanolis.cn/cves/detail/CVE-2022-41974 |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 | |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

| anolis | | https://anas.openanolis.cn/cves/detail/CVE-2022-41974 |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 | |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞公开时间：2022-10-30 03:15

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| redhat | https://access.redhat.com/security/cve/CVE-2022-41974 | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

| anolis | | https://anas.openanolis.cn/cves/detail/CVE-2022-41974 |

| cve_search | | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2022/10/24/2 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1202739 |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 | |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞公开时间：2022-10-30 03:15

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| redhat | https://access.redhat.com/security/cve/CVE-2022-41974 | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

| anolis | | https://anas.openanolis.cn/cves/detail/CVE-2022-41974 |

| cve_search | | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2022/10/24/2 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1202739 |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 | |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞公开时间：2022-10-30 03:15

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞公开时间：2022-10-30 03:15

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

| redhat | https://access.redhat.com/security/cve/CVE-2022-41974 | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

| anolis | | https://anas.openanolis.cn/cves/detail/CVE-2022-41974 |

| cve_search | | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2022/10/24/2 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1202739 |

| cve_search | | http://seclists.org/fulldisclosure/2022/Oct/25 |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 | |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞公开时间：2022-10-30 03:15

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞公开时间：2022-10-30 03:15

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

| nvd | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html | |

| redhat | https://access.redhat.com/security/cve/CVE-2022-41974 | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

| anolis | | https://anas.openanolis.cn/cves/detail/CVE-2022-41974 |

| cve_search | | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2022/10/24/2 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1202739 |

| cve_search | | http://seclists.org/fulldisclosure/2022/Oct/25 |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 | |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

BaseScore：7.8 High

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞公开时间：2022-10-30 03:15

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

| nvd | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html | |

| redhat | https://access.redhat.com/security/cve/CVE-2022-41974 | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

| anolis | | https://anas.openanolis.cn/cves/detail/CVE-2022-41974 |

| cve_search | | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2022/10/24/2 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1202739 |

| cve_search | | http://seclists.org/fulldisclosure/2022/Oct/25 |

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

BaseScore：7.8 High

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞公开时间：2022-10-30 03:15

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

| nvd | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html | |

| redhat | https://access.redhat.com/security/cve/CVE-2022-41974 | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

| anolis | | https://anas.openanolis.cn/cves/detail/CVE-2022-41974 |

| cve_search | | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2022/10/24/2 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1202739 |

| cve_search | | http://seclists.org/fulldisclosure/2022/Oct/25 |

| cve_search | | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html |

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V3.0分值：

BaseScore：7.8 High

Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞公开时间：2022-10-30 03:15

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

| nvd | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html | |

| redhat | https://access.redhat.com/security/cve/CVE-2022-41974 | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

| anolis | | https://anas.openanolis.cn/cves/detail/CVE-2022-41974 |

| cve_search | | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2022/10/24/2 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1202739 |

| cve_search | | http://seclists.org/fulldisclosure/2022/Oct/25 |

| cve_search | | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

| nvd | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 | |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V3.0分值：

BaseScore：7.8 High

Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞公开时间：2022-10-30 03:15

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

| nvd | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html | |

| redhat | https://access.redhat.com/security/cve/CVE-2022-41974 | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

| anolis | | https://anas.openanolis.cn/cves/detail/CVE-2022-41974 |

| cve_search | | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2022/10/24/2 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1202739 |

| cve_search | | http://seclists.org/fulldisclosure/2022/Oct/25 |

| cve_search | | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

| nvd | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 | |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

7.8

Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V3.0分值：

BaseScore：7.8 High

Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞公开时间：2022-10-30 03:15

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

| nvd | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html | |

| redhat | https://access.redhat.com/security/cve/CVE-2022-41974 | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

| anolis | | https://anas.openanolis.cn/cves/detail/CVE-2022-41974 |

| cve_search | | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2022/10/24/2 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1202739 |

| cve_search | | http://seclists.org/fulldisclosure/2022/Oct/25 |

| cve_search | | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

| nvd | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 | |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

7.8

Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

受影响版本排查(受影响/不受影响)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

修复是否涉及abi变化(是/否)：

1.openEuler-20.03-LTS-SP1(0.8.4):

2.openEuler-20.03-LTS-SP3(0.8.4):

3.openEuler-22.03-LTS(0.8.7):

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V3.0分值：

BaseScore：7.8 High

Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞公开时间：2022-10-30 03:15

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

| nvd | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html | |

| redhat | https://access.redhat.com/security/cve/CVE-2022-41974 | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 |

| debian | | https://security-tracker.debian.org/tracker/CVE-2022-41974 |

| anolis | | https://anas.openanolis.cn/cves/detail/CVE-2022-41974 |

| cve_search | | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2022/10/24/2 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1202739 |

| cve_search | | http://seclists.org/fulldisclosure/2022/Oct/25 |

| cve_search | | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

| nvd | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html | |

| redhat_bugzilla | https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt | |

| redhat_bugzilla | https://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7185 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7187 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7188 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7186 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7192 | |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2022:7191 | |

| redhat_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2133988 | |

| debian | https://security-tracker.debian.org/tracker/CVE-2022-41974 | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

无

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

修复是否涉及abi变化(是/否)：

一、漏洞信息

漏洞编号：[CVE-2022-41974](https://nvd.nist.gov/vuln/detail/CVE-2022-41974)

漏洞归属组件：[multipath-tools](https://gitee.com/src-openeuler/multipath-tools)

漏洞归属的版本：0.8.4,0.8.5,0.8.7

CVSS V3.0分值：

BaseScore：7.8 High

Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

漏洞简述：

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

漏洞公开时间：2022-10-30 03:15

漏洞创建时间：2022-10-25 13:34:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2022-41974

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| nvd | https://github.com/opensvc/multipath-tools/releases/tag/0.9.2 | |

| nvd | http://www.openwall.com/lists/oss-security/2022/10/24/2 | |

| nvd | https://bugzilla.suse.com/show_bug.cgi?id=1202739 | |

| nvd | http://seclists.org/fulldisclosure/2022/Oct/25 | |

| nvd | http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html | |