CVE-2022-46174: 
Red Hat Enterprise Linux CoreOS (RHCOS) vulnerability analysis and mitigation

A race condition vulnerability (CVE-2022-46174) was identified in Amazon EFS Utils versions 1.34.3 and below. The vulnerability was discovered in December 2022 and affects the Amazon Elastic File System (EFS) mount helper component. When using TLS to mount file systems, the mount helper allocates a local port for stunnel to receive NFS connections prior to applying the TLS tunnel (GitHub Advisory).

The vulnerability stems from a race condition in the TLS port allocation process. During concurrent mount operations, the mount helper could allocate the same local port for different mount requests before applying the TLS tunnel. This occurs because the port selection process lacked proper synchronization mechanisms. The vulnerability has been assigned a CVSS v3.1 base score of 4.2 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L (NVD).

The race condition can lead to two primary impacts: failed mount operations or inappropriate mapping between an EFS customer's local mount points and their EFS file systems. This could potentially result in mount failures or incorrect file system associations, affecting the reliability and security of EFS mounts (GitHub Advisory).

The vulnerability has been patched in efs-utils version 1.34.4. There are no recommended workarounds, and users are strongly advised to update to version 1.34.4 or later to address this security issue. The fix implements a state file mechanism that acts as a TLS port lock file to prevent concurrent port allocation (GitHub Commit).