CVE-2022-23653 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability affecting the Backblaze B2 Command Line Tool versions 3.2.0 and below on Linux and Mac platforms. The B2 Command Line Tool is used to interact with Backblaze's cloud storage service, storing API keys and bucket name-to-ID mappings locally in a database file (commonly located at $XDG_CONFIG_HOME/b2/account_info, ~/.b2_account_info, or a user-defined path). When the command 'b2 authorize-account' is first executed, this database file is created and initially set with world-readable permissions before being quickly changed to private user-only permissions. This brief window, typically a few milliseconds, creates a race condition where a local attacker with read access to the directory can open and maintain a handle to the file before permissions are restricted. Consequently, the attacker can read sensitive API keys and configuration data once the file is populated with these secrets. The vulnerability requires local access and the ability to read the directory containing the configuration file before the user runs 'b2 authorize-account'. Users who have already authorized their account and whose configuration file was not accessible by other local users at creation time are not vulnerable. However, if the file was accessible, the attacker could have obtained credentials. The vulnerability does not require user interaction beyond the victim running the authorize command and does not require network access. There are no known exploits in the wild. Mitigation involves upgrading to version 3.2.1 or later, which fixes the race condition by properly setting file permissions atomically or immediately upon file creation. If upgrading is not possible, users can use a binary release, install the tool in a virtual environment, or manually restrict directory and file permissions to prevent unauthorized local access. Additionally, users who suspect compromise should delete the local database file and regenerate all API keys, as the 'b2 clear-account' command does not remove the database file or invalidate open file handles. This vulnerability is categorized under CWE-367 (TOCTOU race condition) and primarily impacts confidentiality due to potential unauthorized disclosure of API keys.

For European organizations using the Backblaze B2 Command Line Tool on Linux or Mac systems, this vulnerability poses a risk of local privilege escalation in the form of credential disclosure. If an attacker gains local access—such as through shared workstations, compromised user accounts, or insider threats—they could exploit the race condition to extract API keys, enabling unauthorized access to cloud storage buckets. This could lead to data exfiltration, data tampering, or disruption of cloud storage services. The impact is particularly significant for organizations relying on Backblaze B2 for critical backups, archival storage, or data sharing, as compromised keys could undermine data confidentiality and integrity. Since the vulnerability requires local access and directory read permissions, environments with multi-user access or lax file permission policies are most at risk. The vulnerability does not directly impact availability but could indirectly cause service disruption if attackers delete or modify stored data. Given the increasing adoption of cloud storage solutions in European enterprises, especially in sectors like finance, healthcare, and government, the risk of sensitive data exposure is notable. However, the lack of known exploits and the requirement for local access somewhat limit the threat scope. Organizations with strict endpoint security and user access controls will be less vulnerable, but those with shared systems or insufficient permission management should prioritize remediation.

1. Upgrade the B2 Command Line Tool to version 3.2.1 or later immediately to eliminate the race condition vulnerability. 2. If upgrading is not feasible due to dependency conflicts, deploy the official binary release or install the tool within a Python virtual environment to isolate and control permissions. 3. Restrict directory and file permissions where the configuration database is stored to prevent other local users from reading or opening the file during creation. This includes setting the directory permissions to disallow read or execute access by unauthorized users. 4. After upgrading, delete the existing local database file (e.g., ~/.b2_account_info) to invalidate any potentially compromised handles and regenerate all API keys via the Backblaze management console to prevent unauthorized access. 5. Avoid using 'b2 clear-account' as it does not remove the database file or invalidate open file handles. 6. Implement endpoint security measures to limit local user access and monitor for suspicious file access patterns. 7. Educate users about the importance of running 'b2 authorize-account' only in secure environments and ensuring that local directories are not accessible by unauthorized users. 8. Regularly audit file system permissions on user home directories and configuration paths to ensure compliance with least privilege principles.