Relax-and-Recover (ReaR) is a Linux disaster recovery and system migration tool that generates initrd images used during system boot. In version 2.7, when the GRUB_RESCUE option is enabled (GRUB_RESCUE=y), the tool inadvertently creates an initrd image with world-readable permissions. This initrd contains sensitive system secrets, such as cryptographic keys, passwords, or configuration files, which are normally protected and only accessible by the root user. The vulnerability arises from improper file permission settings (CWE-276: Incorrect Default Permissions) on the generated initrd, exposing these secrets to any local user on the system. Exploitation requires local access with low privileges but no user interaction or elevated privileges beyond that. The attacker can read confidential data, potentially facilitating further privilege escalation or lateral movement. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates local attack vector, low complexity, low privileges required, no user interaction, unchanged scope, and high confidentiality impact without integrity or availability impact. No public exploits or patches are currently available, but the vulnerability is published and should be addressed promptly.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive system secrets on affected Linux systems using ReaR 2.7 with GRUB_RESCUE enabled. Confidentiality breaches could lead to exposure of encryption keys, credentials, or system configurations, undermining security controls and facilitating further attacks such as privilege escalation or data exfiltration. Organizations with multi-user environments, shared hosting, or less restrictive local access controls are particularly vulnerable. Critical infrastructure, government agencies, and enterprises relying on ReaR for disaster recovery could face operational risks if attackers leverage this vulnerability to compromise system integrity indirectly. Although the vulnerability does not affect system availability or integrity directly, the confidentiality impact can have cascading effects on overall security posture and compliance with data protection regulations like GDPR.

To mitigate this vulnerability, organizations should immediately audit the permissions of initrd images generated by ReaR, ensuring they are not world-readable. Specifically, restrict access to the initrd file to root or administrative users only (e.g., chmod 600). Review and disable the GRUB_RESCUE=y option if not strictly necessary, as this triggers the insecure behavior. Monitor and control local user access to systems running ReaR to minimize the risk of unauthorized local exploitation. Stay informed about vendor updates or patches addressing this issue and apply them promptly once available. Additionally, implement file integrity monitoring on critical boot files and secrets to detect unauthorized access or changes. Employ strict access controls and user privilege management to limit the number of users who can access local systems. Finally, conduct regular security audits and penetration tests focusing on local privilege escalation vectors to identify and remediate similar issues.