CVE-2021-42056: 
SafeNet Authentication Client vulnerability analysis and mitigation

Thales Safenet Authentication Client (SAC) for Linux and Windows through version 10.7.7 contains a security vulnerability related to insecure temporary file creation. The software creates temporary hid and lock files with improper permissions, which could be exploited by local attackers (MITRE CVE, NVD). The vulnerability was discovered by @z00kov from CERT Orange Cyberdefense and was assigned CVE-2021-42056 on October 7, 2021 (GitHub POC).

The vulnerability is classified under CWE-378 (Creation of Temporary File With Insecure Permissions) and CWE-377 (Insecure Temporary File). The issue affects multiple directories including /tmp/eToken.hid/, /tmp/eToken.lock/, and /var/tmp/eToken.cache/* where files are created with world-readable/writable permissions (777 for directories, 666 for files) and root privileges. These files are created and updated during various SAC operations such as lock/unlock (GitHub POC).

The vulnerability allows local attackers to overwrite arbitrary files with SACSrv privileges (which runs as root by default) through symlink attacks. This could lead to critical system compromise by overwriting sensitive files like /bin/sh or /etc/shadow. An attacker could potentially obtain root/777 privileges and modify legitimate content or gain root shell access by manipulating the shadow file (GitHub POC).

As of July 28, 2023, even the latest version (22.3) remained vulnerable to this issue. No official fix or mitigation has been published by Thales, despite their initial response indicating the issue would be fixed during Q2 2022 (GitHub POC).