CVE-2020-24332
Description
TrouSerS tcsd creates /var/lib/tpm/system.data as root, allowing a local tss user to conduct symlink attacks leading to DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TrouSerS tcsd creates /var/lib/tpm/system.data as root, allowing a local tss user to conduct symlink attacks leading to DoS.
Vulnerability
TrouSerS through 0.3.14 contains a vulnerability in the tcsd daemon when started with root privileges. During startup, before dropping privileges to the tss user, the daemon creates or opens the file /var/lib/tpm/system.data with O_RDWR|O_CREAT and mode 0600 [1][3]. Because the state directory /var/lib/tpm is owned by the tss user (as per default packaging), a local attacker with control of the tss account can replace this path with a symbolic link to any other file on the system [1][3]. The flaw exists in all distributions using the packaged TrouSerS, where the daemon is commonly started as root in init scripts [1].
Exploitation
An attacker who already has access to the local tss user account (for example, through another compromise of that service account) can stage a symlink attack. Before the tcsd daemon starts (or when it is restarted), the attacker creates a symbolic link at /var/lib/tpm/system.data pointing to a target file of their choice, such as a critical system file [1][3]. When tcsd runs as root and opens that path for writing, it will follow the symlink and overwrite or create the target file with 0600 permissions [3]. No additional authentication or user interaction is required beyond having the tss user account and the ability to restart or trigger the daemon startup [1].
Impact
Successful exploitation allows the attacker to corrupt arbitrary files on the system by overwriting them with the content written by tcsd, or to create new files with mode 0600 [3]. This can be leveraged to achieve a denial of service (DoS) by overwriting essential configuration or system binaries, as the corrupted file may render the system or a service inoperable [1][3]. Full privilege escalation is not directly achieved because the corrupted files are owned by root and the attacker does not control the content written, but the ability to destroy or alter critical files is sufficient for a reliable DoS attack [3].
Mitigation
No official patched release has been published by the TrouSerS upstream as of the CVE publication date (2020-08-13) [1][3]. The recommended mitigation is to avoid starting tcsd as root; instead, start it directly as the tss user and ensure /dev/tpm0 is owned by tss [1][2]. Distributions can also implement privilege dropping earlier in the startup sequence and drop both user and group privileges [1]. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last update.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- TrouSerS/TrouSerSdescription
- osv-coords4 versionspkg:rpm/almalinux/trouserspkg:rpm/almalinux/trousers-develpkg:rpm/almalinux/trousers-libpkg:rpm/opensuse/trousers&distro=openSUSE%20Tumbleweed
< 0.3.15-1.el8+ 3 more
- (no CPE)range: < 0.3.15-1.el8
- (no CPE)range: < 0.3.15-1.el8
- (no CPE)range: < 0.3.15-1.el8
- (no CPE)range: < 0.3.15-1.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing O_NOFOLLOW flag when opening the system.data file allows a symlink attack by the tss user before privilege drop."
Attack vector
An attacker with access to the unprivileged `tss` user account can exploit the race window between the tcsd daemon starting as root and dropping privileges. Since `/var/lib/tpm` is owned by `tss:tss`, the attacker can place a symbolic link at `/var/lib/tpm/system.data` pointing to an arbitrary file on the system. When the daemon opens this path with `O_RDWR|O_CREAT` (without `O_NOFOLLOW`), it follows the symlink and creates or overwrites the target file with mode 0600 while still running as root [ref_id=1]. This can lead to corruption of existing files or creation of new files, enabling a denial-of-service (DoS) attack [ref_id=2].
Affected code
The vulnerability is in the tcsd daemon's initialization sequence. In the function `ps_init_disk_cache()`, the call to `get_file()` opens the `system_ps_file` (default `/var/lib/tpm/system.data`) using `O_RDWR|O_CREAT` with mode 0600, without `O_NOFOLLOW`. This occurs before the daemon drops root privileges in `main()` [ref_id=1].
What the fix does
The advisory recommends adding `O_NOFOLLOW` to the `openat()` call in step 3 to prevent the daemon from following symbolic links when creating or opening the `system.data` file [ref_id=1]. Additionally, the advisory suggests that the correct long-term fix is to open `/dev/tpm0` as root, immediately drop privileges to `tss:tss`, and only then perform further initialization steps such as creating the system.data file [ref_id=1]. No official patch from upstream is published in the bundle.
Preconditions
- configThe tcsd daemon must be started with root privileges (not directly as the tss user)
- authThe attacker must have access to the unprivileged tss user account
- configThe /var/lib/tpm directory must be owned by tss:tss (the default configuration)
- inputThe attacker must be able to create a symbolic link at the system.data path before the daemon opens it
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD/mitrevendor-advisoryx_refsource_FEDORA
- www.openwall.com/lists/oss-security/2020/08/14/1mitremailing-listx_refsource_MLIST
- bugzilla.suse.com/show_bug.cgimitrex_refsource_MISC
- seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patchmitrex_refsource_MISC
- sourceforge.net/p/trousers/mailman/message/37015817/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.