Bug 460425 (CVE-2008-4190)

Summary: CVE-2008-4190 openswan: Insecure auxiliary /tmp file usage (symlink attack possible)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: avagarwa, kreilly, pwouters, sgrubb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: reported=20080826,public=20080824,source=debian,impact=low
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-30 13:01:23 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 491907, 491908    
Bug Blocks:    

Description Jan Lieskovsky 2008-08-28 04:52:09 EDT
The Openswan's IPSEC livetest tool is prone to symlink attacks.

Affected file: /usr/libexec/ipsec/livetest 

Relevant part of the code:

    39 wget -o /dev/null  -O /tmp/ipseclive.conn "http://192.168.0.1/olts/?leftid=$leftid&$leftrsasigkey&version=$version"
     40 
     41 sh < /tmp/ipseclive.conn
     42 ipsec eroute.pl
     43 leftid=`echo $leftid | sed "s/@//"`
     44 ipsec whack --delete --name olts-$leftid >> /tmp/ipsec.olts.local.log
     45 wget -o /dev/null -O /tmp/ipsec.olts.remote.log "http://192.168.0.1/olts/log.php?leftid=$leftid"

A malicious user could precreate symlink to each of the files
(tmp/ipseclive.conn, /tmp/ipsec.olts.remote.log), which could allow
him to destroy the target of the symlink via running the
" # ipsec livetest" command by the superuser of the host.

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496374
Comment 1 Tomas Hoger 2008-09-29 06:52:28 EDT
CVE-2008-4190:

The IPSEC livetest tool in Openswan 2.4.4 and earlier allows local
users to overwrite arbitrary files and execute arbitrary code via a
symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log
temporary files.
Comment 2 Tomas Hoger 2008-09-30 05:17:40 EDT
To extend CVE description, this also affects 2.6.x versions (latest Fedora version is 2.6.16 and is affected by this problem).
Comment 3 Paul Wouters 2009-03-09 16:03:04 EDT
This is a bug, but no security issue whatsoever

- ipsec livetest is not called by anything anywhere. It is an incomplete feature.
- ipsec livetest contains the following code at the start of the script:

echo "currently not used"
exit
Comment 4 Tomas Hoger 2009-03-10 04:59:53 EDT
OpenSwan version in all Fedora versions is based on 2.6.19, which does contain "echo & exit".  Version shipped in Red Hat Enterprise Linux 5 is still based on 2.6.14, which does not have that, which might get changed in the future updates.  Hence this still can be an issue if livetest is run manually.
Comment 9 errata-xmlrpc 2009-03-30 12:52:39 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0402 https://rhn.redhat.com/errata/RHSA-2009-0402.html