grub2-once uses fixed file name in /var/tmp

Vulnerability

CVE-2021-46705 is an insecure temporary file vulnerability in the grub2-once script of grub2, as shipped in SUSE Linux Enterprise Server 15 SP4 and openSUSE Factory. The script uses a fixed filename /var/tmp/grub2-cleanup-once (line 181 of /sbin/grub2-once) when creating a temporary file. This allows a local attacker to place a symlink at that path, causing the privileged sysadmin process to truncate the file pointed to by the symlink. Affected versions are grub2 prior to 2.06-150400.7.1 for SUSE Linux Enterprise Server 15 SP4, and grub2 prior to 2.06-18.1 for openSUSE Factory [1].

Exploitation

An unprivileged local user can exploit this by creating a symbolic link at /var/tmp/grub2-cleanup-once pointing to any file the attacker wants to truncate (e.g., a system configuration file). When a sysadmin or automated process runs grub2-once, the script opens the path with a write mode (>) [1], thus truncating the target file. No authentication beyond local shell access is required, and the file creation happens with the privileges of the user running the script (typically root).

Impact

Successful exploitation allows a local attacker to truncate arbitrary files on the system. This can lead to denial of service (e.g., truncating critical files like /etc/shadow or log files), or potentially aid in privilege escalation by corrupting security-relevant configuration files. The impact is limited to file truncation, not arbitrary write or read, but can still be severe.

Mitigation

The vulnerability is fixed in grub2 versions 2.06-150400.7.1 (SUSE Linux Enterprise Server 15 SP4) and 2.06-18.1 (openSUSE Factory) [1]. Users should update to these patched versions. The fix involves using a dedicated directory such as /var/lib/misc or a per-user path instead of /var/tmp to avoid race conditions and symlink attacks [1]. No workaround is documented; updating is the recommended action.