CVE-2022-23653 : Security Advisory and Response

A detailed overview of the B2 Command Line Tool TOCTOU application key disclosure vulnerability.

Understanding CVE-2022-23653

This section provides insights into the nature and impact of the vulnerability.

What is CVE-2022-23653?

The B2 Command Line Tool by Backblaze, versions below 3.2.1, is vulnerable to a key disclosure issue due to a time-of-check-time-of-use (TOCTOU) race condition.

The Impact of CVE-2022-23653

The vulnerability allows local attackers to exploit the TOCTOU race condition, potentially leading to key disclosure in certain conditions.

Technical Details of CVE-2022-23653

This section delves into the technical aspects of the vulnerability.

Vulnerability Description

The B2 Command Line Tool saves API keys in a local database file, which can be briefly exposed to a local attacker, facilitating key disclosure.

Affected Systems and Versions

Users of B2 Command Line Tool versions below 3.2.1 for Linux and Mac are affected by this vulnerability.

Exploitation Mechanism

Local attackers can exploit the TOCTOU race condition by accessing the vulnerable files during the brief exposure period.

Mitigation and Prevention

Learn about the steps to mitigate and prevent the exploitation of this vulnerability.

Immediate Steps to Take

Users who have not yet run

b2 authorize-account

should update to version 3.2.1. Users who have run it should ensure no other local users had read access to the configuration file.

Long-Term Security Practices

Consider upgrading to version 3.2.1, changing permissions to prevent file access, or using a binary release if upgrading is not feasible.

Patching and Updates

Keep the B2 Command Line Tool updated to the latest version and follow security best practices to prevent future vulnerabilities.