Preface: Sometimes it is difficult to determine what the clear impact of a vulnerability is. However if there is design weakness found, it should do a corrective control. There is a race condition issue exists within the Amazon EFS mount helper in efs-utils. What is race condition in traditional understanding.

When race conditions occur. A race condition occurs when two threads access a shared variable at the same time.

Background: EFS offers two methods to connect your Linux-based EC2 instance to your EFS file system. Both use a process called mounting whereby you mount a target to the EFS file system on your instance.

The EFS mount helper is a utility that has to be installed on your EC2 instance.

After installing the Amazon EFS mount helper amazon-efs-utils, just add the -o tls option when mounting, and your communication with Amazon EFS will be encrypted without any changes to your application. Please see the picture for details.

Vulnerability details: When using TLS to mount file systems, the mount helper allocates a local port for stunnel to receive NFS connections prior to applying the TLS tunnel. In affected versions, concurrent mount operations can allocate the same local port, leading to either failed mount operations or an inappropriate mapping from an EFS customer’s local mount points to that customer’s EFS file systems.

Remedy: This issue is patched in version v1.34.4. There is no recommended work around. We recommend affected users update the installed version of efs-utils to v1.34.4 or later.

Official details: Please see the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-46174