canna: unsafe handling of /tmp/.iroha_unix directory
Description
A race condition in canna's systemd service allows local attackers to hijack the UNIX socket via /tmp/.iroha_unix manipulation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in canna's systemd service allows local attackers to hijack the UNIX socket via /tmp/.iroha_unix manipulation.
Vulnerability
The canna systemd service on openSUSE Backports SLE-15-SP3 (versions prior to canna-3.7p3-bp153.2.3.1) and SLE-15-SP4 (versions prior to 3.7p3-bp154.3.3.1) uses a publicly accessible directory /tmp/.iroha_unix for a UNIX domain socket, created via systemd-tmpfiles with mode 0755. However, the service unit removes this directory during ExecPre and ExecStopPost, creating a race window where an attacker can pre-create an unsafe directory. The server does not verify directory permissions, leading to improper access control [1].
Exploitation
An attacker with local access can monitor for deletion of /tmp/.iroha_unix using inotify_wait(). Once the directory is removed (e.g., before service start or after stop), the attacker creates a world-writable directory (mode 777) owned by themselves. The cannaserver then creates its socket in this attacker-controlled directory. The attacker can delete the legitimate socket and replace it with a fake one, intercepting client connections [1].
Impact
A successful attacker can intercept traffic between canna clients and the server, reading sensitive input data and returning manipulated responses. This compromises confidentiality and integrity of the interactive session.
Mitigation
Fixed versions are canna-3.7p3-bp153.2.3.1 (SLE-15-SP3) and canna-3.7p3-bp154.3.3.1 (SLE-15-SP4). For openSUSE Factory, the package was deleted instead of being fixed [1]. Users should update to the patched versions; no workaround is available for unpatched installations.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- osv-coords4 versionspkg:rpm/opensuse/canna&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/canna&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/canna&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/canna&distro=SUSE%20Package%20Hub%2015%20SP4
< 3.7p3-bp153.2.3.1+ 3 more
- (no CPE)range: < 3.7p3-bp153.2.3.1
- (no CPE)range: < 3.7p3-bp154.3.3.1
- (no CPE)range: < 3.7p3-bp153.2.3.1
- (no CPE)range: < 3.7p3-bp154.3.3.1
- openSUSE/openSUSE Backports SLE-15-SP3v5Range: canna
- openSUSE/openSUSE Backports SLE-15-SP4v5Range: canna
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The systemd service for canna does not perform a sanity check on the permissions of the /tmp/.iroha_unix directory before creating its socket, allowing for privilege escalation."
Attack vector
A local attacker can exploit this vulnerability by waiting for the /tmp/.iroha_unix directory to be deleted, then creating a world-writable directory with the same name and appropriate permissions. The cannaserver will then create its socket within this attacker-controlled directory. The attacker can subsequently delete the socket and replace it with a fake socket, enabling them to intercept and manipulate client connections [ref_id=1].
Affected code
The vulnerability lies in the systemd service for canna, specifically how it handles the /tmp/.iroha_unix directory. The `canna.service` unit file previously included `ExecPre=/bin/rm -rf /tmp/.iroha_unix` and `ExecStopPost=/bin/rm -rf /tmp/.iroha_unix` [ref_id=1]. The issue arises because the service tolerates the existence of the directory and does not check its permissions, leading to the use of an unsafe directory [ref_id=1].
What the fix does
The advisory suggests changing the Unix socket directory from /tmp/.iroha_unix to /run/canna, where arbitrary users cannot stage attacks. This change would require patching the Canna.conf file to update the UnixSockDir setting. Additionally, hardening measures such as sanity checking the socket directory's permissions at startup are recommended [ref_id=1]. The provided patch modifies the canna.service unit to remove the socket directory before starting and after stopping the service, and the advisory notes that openSUSE Factory has implemented a whitelisting restriction for systemd-tmpfiles configuration files [ref_id=1].
Preconditions
- inputThe attacker must have local access to the system.
- configThe system must be running a vulnerable version of canna with the described systemd service configuration.
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.