CVE-2022-37703

Vulnerability

In Amanda 3.5.1, the calcsize SUID binary contains an information disclosure vulnerability. The binary invokes opendir() as root on an attacker-supplied path without validating it [3]. This allows a local attacker to check whether any directory exists anywhere on the filesystem. The vulnerable code is in calcsize.c at line 435: if((d = opendir(dirname)) == NULL) [3]. Only version 3.5.1 is confirmed affected; later versions (3.5.3) have addressed security issues [1].

Exploitation

An attacker must be the backup user (or otherwise have access to the calcsize binary) [3]. The attacker runs the binary with the -X flag and a target path. If the directory exists, the binary produces no output; if it does not exist, it prints an error like [path]/.: No such file or directory [3]. No additional privileges or user interaction beyond being the backup user are required.

Impact

The attacker can enumerate directories across the filesystem, revealing the presence of sensitive directories (e.g., configuration, password, or data directories). This is an information disclosure that aids further privilege escalation or reconnaissance. The binary runs as root, but the leak is limited to directory existence; no file contents are exposed.

Mitigation

Upgrade to Amanda version 3.5.3 or later, which includes fixes for this vulnerability [1]. If upgrading is not immediately possible, restrict access to the calcsize binary to trusted users only. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities catalog.