CVE-2020-24330
Description
TrouSerS tcsd daemon fails to drop root group privileges when started as root, allowing privilege escalation from tss user to root group capabilities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TrouSerS tcsd daemon fails to drop root group privileges when started as root, allowing privilege escalation from tss user to root group capabilities.
Vulnerability
An issue in TrouSerS through version 0.3.14 occurs when the tcsd daemon is started with root privileges instead of using the unprivileged tss user account. The daemon fails to drop the root group ID (gid) after switching to the tss user, meaning the process retains root group privileges. This affects any deployment where the tcsd is started as root, typically via systemd scripts or init systems that do not properly drop groups. Versions up to and including 0.3.14 are affected [1][2].
Exploitation
An attacker who already has access to the tss user account (e.g., by compromising the tcsd or through another local vector) can exploit this incomplete privilege drop. Since the daemon continues to run with the root group ID, the attacker can leverage this group membership to access files or resources restricted to the root group. The attack requires prior compromise of the tss user, making it a local privilege escalation within the tss user context to root group capabilities. No network access or user interaction is required beyond the initial compromise [1][2].
Impact
Successful exploitation allows an attacker with tss user privileges to perform operations that require root group membership. This can lead to unauthorized access to system resources, potential modification of files owned by root group, and further privilege escalation. The impact is confined to the group-level privilege; full root user (uid 0) is not directly achieved, but the attacker gains broader system access than intended for the tss user [1][3].
Mitigation
TrouSerS 0.3.14 is the latest release but carries this vulnerability. No official patched version has been released as of the publication date. Workarounds include ensuring the tcsd is not started as root; instead, start it directly as the tss user via systemd or start-stop-daemon, and ensure the /dev/tpm0 device is owned by tss. Distributions like openSUSE have issued updates that mitigate the issue [1][4]. As of August 2020, CVE-2020-24330 is not listed in CISA's Known Exploited Vulnerabilities catalog.
- TrouSerS tcsd privilege escalation tss to root user
- [TrouSerS-tech] Multiple Security Issues in the TrouSerS tpm1.2 tscd Daemon
- security - Re: [TrouSerS-tech] Multiple Security Issues in the TrouSerS tpm1.2 tscd Daemon
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD/
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10- TrouSerS/TrouSerSdescription
- osv-coords8 versionspkg:rpm/almalinux/trouserspkg:rpm/almalinux/trousers-develpkg:rpm/almalinux/trousers-libpkg:rpm/suse/trousers&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/trousers&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/trousers&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/trousers&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/trousers&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015
< 0.3.15-1.el8+ 7 more
- (no CPE)range: < 0.3.15-1.el8
- (no CPE)range: < 0.3.15-1.el8
- (no CPE)range: < 0.3.15-1.el8
- (no CPE)range: < 0.3.14-150000.3.3.1
- (no CPE)range: < 0.3.14-150000.3.3.1
- (no CPE)range: < 0.3.13-3.3.1
- (no CPE)range: < 0.3.14-150000.3.3.1
- (no CPE)range: < 0.3.14-150000.3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The tcsd daemon drops the root uid after initialization but fails to call setgid(), so the process retains the root group (gid) privilege."
Attack vector
An attacker who already controls the unprivileged tss user can exploit the fact that the tcsd daemon continues to run with the root group (gid) after the uid drop [ref_id=1]. The missing setgid() call means the daemon holds a group privilege it no longer requires, which could enable further privilege escalations when combined with other attack vectors [ref_id=1]. The precondition is that the tcsd daemon is started with root privileges rather than directly as the tss user [ref_id=2].
Affected code
The vulnerability is in the privilege-drop logic of the tcsd daemon's main() function. After opening /dev/tpm0 as root and performing initialization steps (conf_file_init(), ps_dirs_init(), ps_init_disk_cache()), the daemon drops the root uid but omits a call to setgid(), leaving the root group ID active [ref_id=1].
What the fix does
The suggested source-code fix adds a call to setgid() to drop the root group ID to the tss group after the uid drop, ensuring the daemon no longer runs with any unnecessary root-level group privilege [ref_id=1]. The advisory also recommends the long-term fix of opening /dev/tpm0 as root, immediately dropping to tss:tss, and only then performing further initialization steps [ref_id=1]. No official upstream patch is confirmed in the bundle; the fix guidance comes from the researcher's advisory [ref_id=1].
Preconditions
- configThe tcsd daemon must be started with root privileges (e.g., via systemd on SUSE and Fedora) rather than directly as the tss user.
- authThe attacker must already have control of the unprivileged tss user account on the system.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD/mitrevendor-advisoryx_refsource_FEDORA
- www.openwall.com/lists/oss-security/2020/08/14/1mitremailing-listx_refsource_MLIST
- bugzilla.suse.com/show_bug.cgimitrex_refsource_MISC
- seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patchmitrex_refsource_MISC
- sourceforge.net/p/trousers/mailman/message/37015817/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.