OBS worker VM escape via relative symbolic links

Vulnerability

The bs_worker code in Open Build Service (OBS) before version 20170320 followed relative symbolic links when processing package source files during builds. This allowed symlinks pointing outside the package source directory to be followed, enabling reading of arbitrary files on the system. The vulnerability existed in the cpio_sender subroutine, which did not check whether the file was a plain file or a symlink before opening it [3]. Affected versions include OBS master, 2.8, 2.7, and 2.6 branches [2].

Exploitation

An attacker with the ability to submit a package build (e.g., a user with package submission rights) could include a relative symlink in the package source that points to a sensitive file outside the source directory, such as /etc/passwd or other private files. During the build process, the bs_worker would follow the symlink and include the contents of the target file in the build output, which could then be retrieved by the attacker. No authentication beyond normal build submission is required, and the attack can be performed remotely via the OBS API [1].

Impact

Successful exploitation allows an attacker to read arbitrary files on the OBS worker system, leading to leakage of private information. The confidentiality impact is high, while integrity and availability are not affected. The CVSS v3 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) [1].

Mitigation

The fix was implemented in the OBS git repository on March 21, 2017, in commit ba27c91351878bc297ec4baba0bd488a2f3b568d [3]. The fix modifies cpio_sender to use lstat to check if the file is a symbolic link or not a plain file, and rejects such files with an error. The fix was applied to OBS master, 2.8, 2.7, and 2.6 branches [2]. Users should upgrade to OBS version 20170320 or later. For older versions, no workaround is documented; upgrading is the recommended mitigation.