CVE-2022-4510: 
Python vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2022-4510) was identified in ReFirm Labs binwalk versions 2.1.2b through 2.3.3. The vulnerability was discovered in late 2022 and publicly disclosed in January 2023. The issue affects the PFS extractor component of binwalk, specifically in the src/binwalk/plugins/unpfs.py file (NVD).

The vulnerability stems from improper path resolution in the PFS extractor script. When binwalk is run in extraction mode (-e option), an attacker can craft a malicious PFS filesystem file that allows for arbitrary file extraction locations. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability can lead to remote code execution. An attacker can build a PFS filesystem that, upon extraction, would place a malicious binwalk module into the .config/binwalk/plugins folder, which would then be loaded and executed by binwalk. This allows for arbitrary code execution in the context of the user running binwalk (GitHub PR).

The vulnerability has been fixed in binwalk version 2.3.4. Users are advised to upgrade to this version or later. The fix involves properly resolving paths using os.path.abspath instead of relying on os.path.join (Gentoo Security, GitHub PR).