Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2008-4190 openswan: Insecure auxiliary /tmp file usage (symlink attack possible)|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||avagarwa, kreilly, pwouters, sgrubb|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-03-30 13:01:23 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||491907, 491908|
Description Jan Lieskovsky 2008-08-28 04:52:09 EDT
The Openswan's IPSEC livetest tool is prone to symlink attacks. Affected file: /usr/libexec/ipsec/livetest Relevant part of the code: 39 wget -o /dev/null -O /tmp/ipseclive.conn "http://192.168.0.1/olts/?leftid=$leftid&$leftrsasigkey&version=$version" 40 41 sh < /tmp/ipseclive.conn 42 ipsec eroute.pl 43 leftid=`echo $leftid | sed "s/@//"` 44 ipsec whack --delete --name olts-$leftid >> /tmp/ipsec.olts.local.log 45 wget -o /dev/null -O /tmp/ipsec.olts.remote.log "http://192.168.0.1/olts/log.php?leftid=$leftid" A malicious user could precreate symlink to each of the files (tmp/ipseclive.conn, /tmp/ipsec.olts.remote.log), which could allow him to destroy the target of the symlink via running the " # ipsec livetest" command by the superuser of the host. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496374
Comment 1 Tomas Hoger 2008-09-29 06:52:28 EDT
CVE-2008-4190: The IPSEC livetest tool in Openswan 2.4.4 and earlier allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files.
Comment 2 Tomas Hoger 2008-09-30 05:17:40 EDT
To extend CVE description, this also affects 2.6.x versions (latest Fedora version is 2.6.16 and is affected by this problem).
Comment 3 Paul Wouters 2009-03-09 16:03:04 EDT
This is a bug, but no security issue whatsoever - ipsec livetest is not called by anything anywhere. It is an incomplete feature. - ipsec livetest contains the following code at the start of the script: echo "currently not used" exit
Comment 4 Tomas Hoger 2009-03-10 04:59:53 EDT
OpenSwan version in all Fedora versions is based on 2.6.19, which does contain "echo & exit". Version shipped in Red Hat Enterprise Linux 5 is still based on 2.6.14, which does not have that, which might get changed in the future updates. Hence this still can be an issue if livetest is run manually.