CVE-2023-35845

Vulnerability

Anaconda3 2023.03-1-Linux and Miniconda install numerous files as world-writable on Linux, ignoring the umask setting even when installed as root [1]. Among these files is cacert.pem, used by the installed pip program for TLS certificate validation. This misconfiguration allows any local user to modify the certificate store, affecting the integrity of TLS connections made by pip.

Exploitation

A local attacker with access to the system can simply edit the world-writable cacert.pem file to add a rogue Certificate Authority (CA) or remove legitimate CAs. No special privileges or authentication beyond local user access are required. The attacker can then trigger a pip operation (e.g., package installation) that relies on the compromised certificate store, causing pip to trust malicious certificates or reject valid ones.

Impact

Successful exploitation enables a local attacker to perform man-in-the-middle attacks on TLS connections made by pip. This can lead to the installation of malicious packages from untrusted sources, potentially compromising the entire system. The attacker gains the ability to intercept, modify, or inject data during package downloads, undermining the security of software supply chain operations.

Mitigation

As of the publication date, no official patch has been released by Anaconda or Miniconda [1]. Users are advised to manually correct file permissions after installation by running chmod -R o-w /path/to/anaconda3 or setting a restrictive umask before installation. The issue is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Until a fix is provided, manual permission hardening is the only workaround.