External risk intelligence

Archive_Tar Directory Traversal Vulnerability.

CVE advisoryKnown Exploit

CVE-2020-36193

The Archive_Tar component has a directory traversal vulnerability. This allows for unauthorized file writes, posing a risk of data modification and system compromise. Organizations using affected versions should prioritize updates.

4Halo Surface Signal

Path Traversal

Php Archive Tar

1.4.11 and earlier323334359.010.07.0 to before 7.788.9.0 to before 8.9.139.0.0 to before 9.0.119.1.0 to before 9.1.3

External exposure likelihood

Halo Surface Signal score for CVE-2020-36193

The vulnerability affects library code (Archive_Tar) widely embedded in internet-facing web applications such as Drupal. Because these applications are commonly deployed as public-facing web services that handle file uploads or archive processing, the vulnerable functionality is often reachable via the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

The Archive_Tar component within PHP is vulnerable to a flaw that allows unauthorized writing operations. This weakness stems from inadequate checking of symbolic links. The primary business impact is the potential for directory traversal, which can lead to unauthorized access and modification of data within an organization's systems.

Archive_Tar component
Inadequate symbolic link checking
Unauthorized data access and modification

Attack Path

How an attacker could exploit the issue

This vulnerability arises from inadequate checking of symbolic links during write operations. An attacker could leverage this to perform directory traversal, potentially overwriting or accessing sensitive files. The impact is a compromise of data integrity and confidentiality within affected systems.

Network exposure required.
Attacker initiates file write.
Directory traversal occurs.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability permits attackers to write files to arbitrary locations on a system by manipulating symbolic links within archive files. Exploitation could lead to unauthorized modification or overwriting of critical system files, potentially causing service disruption or enabling further compromise. The issue is present in the Archive_Tar component, which is used in various applications, including Drupal and Fedora Linux.

Attackers with moderate skill can exploit this.
No special access or conditions are required.
Treat as urgent due to high business risk.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Archive_Tar allows for directory traversal through symbolic link manipulation, potentially enabling unauthorized write operations. Organizations utilizing affected versions of Archive_Tar, or products that include it, should prioritize identifying and mitigating their exposure. The risk to business operations stems from potential unauthorized data modification or system compromise.

Identify all instances of Archive_Tar in use.
Restrict access or isolate systems.
Update Archive_Tar and validate.

Frequently asked questions

What is the PEAR Archive_Tar component and what is it used for?

The PEAR Archive_Tar is a PHP component used for creating and manipulating tar archives. It's a reusable piece of code within the PHP ecosystem, often integrated into other applications and systems for handling archive files.

How does CVE-2020-36193 exploit the Archive_Tar component?

CVE-2020-36193 is a Directory Traversal vulnerability. It occurs because Archive_Tar inadequately checks symbolic links during write operations, allowing attackers to bypass intended file paths and write files to unintended locations on the system.

What are the preconditions for an attacker to exploit CVE-2020-36193?

An attacker needs to be able to initiate a file write operation involving a specially crafted archive file. The vulnerability is triggered by inadequate checking of symbolic links within that archive, not by user interface interactions.

Who should be concerned about the Archive_Tar vulnerability (CVE-2020-36193)?

Organizations running internet-facing web applications that utilize the Archive_Tar component should be concerned. Since these applications often handle file uploads or archive processing, the vulnerable functionality can be accessible from the public internet.

What is the first step to address the Archive_Tar vulnerability?

The immediate first step is to identify all systems and applications where the affected version of Archive_Tar is in use. Once identified, prioritizing updates or isolating the systems can help mitigate the risk.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.