Bug 460425 (CVE-2008-4190)
| Summary: | CVE-2008-4190 openswan: Insecure auxiliary /tmp file usage (symlink attack possible) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | avagarwa, kreilly, pwouters, sgrubb |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-03-30 17:01:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 491907, 491908 | ||
| Bug Blocks: | |||
CVE-2008-4190: The IPSEC livetest tool in Openswan 2.4.4 and earlier allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files. To extend CVE description, this also affects 2.6.x versions (latest Fedora version is 2.6.16 and is affected by this problem). This is a bug, but no security issue whatsoever - ipsec livetest is not called by anything anywhere. It is an incomplete feature. - ipsec livetest contains the following code at the start of the script: echo "currently not used" exit OpenSwan version in all Fedora versions is based on 2.6.19, which does contain "echo & exit". Version shipped in Red Hat Enterprise Linux 5 is still based on 2.6.14, which does not have that, which might get changed in the future updates. Hence this still can be an issue if livetest is run manually. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0402 https://rhn.redhat.com/errata/RHSA-2009-0402.html |
The Openswan's IPSEC livetest tool is prone to symlink attacks. Affected file: /usr/libexec/ipsec/livetest Relevant part of the code: 39 wget -o /dev/null -O /tmp/ipseclive.conn "http://192.168.0.1/olts/?leftid=$leftid&$leftrsasigkey&version=$version" 40 41 sh < /tmp/ipseclive.conn 42 ipsec eroute.pl 43 leftid=`echo $leftid | sed "s/@//"` 44 ipsec whack --delete --name olts-$leftid >> /tmp/ipsec.olts.local.log 45 wget -o /dev/null -O /tmp/ipsec.olts.remote.log "http://192.168.0.1/olts/log.php?leftid=$leftid" A malicious user could precreate symlink to each of the files (tmp/ipseclive.conn, /tmp/ipsec.olts.remote.log), which could allow him to destroy the target of the symlink via running the " # ipsec livetest" command by the superuser of the host. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496374