CVE-2023-43741: 
vulnerability analysis and mitigation

A time-of-check-time-of-use (TOCTOU) race condition vulnerability exists in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5. The vulnerability allows the buildkite-agent user to bypass a symbolic link check for the PIPELINE_PATH variable in the fix-buildkite-agent-builds-permissions script (NVD).

The vulnerability exists in the fix-buildkite-agent-builds-permissions script which is intended to recursively fix ownership for files and directories. The script attempts to prevent symbolic link exploitation by checking PIPELINE_PATH with realpath, but introduces a TOCTOU race condition that allows bypassing this check. An attacker can craft a PIPELINE_PATH directory that passes the realpath check and convert the directory to a symbolic link before the chown command executes (Atredis Advisory). The vulnerability has a CVSS v3.1 base score of 7.0 HIGH (Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

Successful exploitation of this vulnerability allows an attacker with buildkite-agent user access to bypass symbolic link checks and potentially escalate privileges on the system by changing ownership of sensitive files (Atredis Advisory).

Users should upgrade to version 6.7.1 or 5.22.5 which addresses this vulnerability. Alternatively, customers can deploy a pre-bootstrap hook to prevent execution of fix-buildkite-agent-builds-permissions during a build (Atredis Advisory).