Description

The cato-clientd service in the Cato Linux Client v5.4 and below writes sensitive files to the user's home directory during authentication:

• cato_cred.cfg.tk
• cato_cred.cfg, and a log file

These files are created with high-privileged user ownership and are not readable by unprivileged users.

However, the service does not validate whether these files are symbolic links. A local attacker can exploit this behavior to escalate privileges by causing the service to overwrite arbitrary system files owned by root.

Severity

The CVSSv4 score is 8.6 (High)

What Changes Do I Need to Make?

Use the Access Overview page to identify users with Linux Client versions impacted by this issue. Make sure they upgrade to the latest Linux Client version to receive the most recent security patches and enhancements.

Acknowledgments

Cato Networks thanks Kin Hung Cheng and Radjnies Bhansingh from Securify for detecting and identifying the issue.

What is the Impact on the Account?

If you don’t upgrade to the latest Linux Client version, devices with v5.4 and below will remain vulnerable. To the best of our knowledge, none of these issues has been exploited in the wild.