Bug 460425 (CVE-2008-4190) - CVE-2008-4190 openswan: Insecure auxiliary /tmp file usage (symlink attack possible)
Summary: CVE-2008-4190 openswan: Insecure auxiliary /tmp file usage (symlink attack po...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-4190
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 491907 491908
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-28 08:52 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:26 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-03-30 17:01:23 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0402 0 normal SHIPPED_LIVE Important: openswan security update 2009-03-30 16:52:33 UTC

Description Jan Lieskovsky 2008-08-28 08:52:09 UTC
The Openswan's IPSEC livetest tool is prone to symlink attacks.

Affected file: /usr/libexec/ipsec/livetest 

Relevant part of the code:

    39 wget -o /dev/null  -O /tmp/ipseclive.conn "http://192.168.0.1/olts/?leftid=$leftid&$leftrsasigkey&version=$version"
     40 
     41 sh < /tmp/ipseclive.conn
     42 ipsec eroute.pl
     43 leftid=`echo $leftid | sed "s/@//"`
     44 ipsec whack --delete --name olts-$leftid >> /tmp/ipsec.olts.local.log
     45 wget -o /dev/null -O /tmp/ipsec.olts.remote.log "http://192.168.0.1/olts/log.php?leftid=$leftid"

A malicious user could precreate symlink to each of the files
(tmp/ipseclive.conn, /tmp/ipsec.olts.remote.log), which could allow
him to destroy the target of the symlink via running the
" # ipsec livetest" command by the superuser of the host.

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496374

Comment 1 Tomas Hoger 2008-09-29 10:52:28 UTC
CVE-2008-4190:

The IPSEC livetest tool in Openswan 2.4.4 and earlier allows local
users to overwrite arbitrary files and execute arbitrary code via a
symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log
temporary files.

Comment 2 Tomas Hoger 2008-09-30 09:17:40 UTC
To extend CVE description, this also affects 2.6.x versions (latest Fedora version is 2.6.16 and is affected by this problem).

Comment 3 Paul Wouters 2009-03-09 20:03:04 UTC
This is a bug, but no security issue whatsoever

- ipsec livetest is not called by anything anywhere. It is an incomplete feature.
- ipsec livetest contains the following code at the start of the script:

echo "currently not used"
exit

Comment 4 Tomas Hoger 2009-03-10 08:59:53 UTC
OpenSwan version in all Fedora versions is based on 2.6.19, which does contain "echo & exit".  Version shipped in Red Hat Enterprise Linux 5 is still based on 2.6.14, which does not have that, which might get changed in the future updates.  Hence this still can be an issue if livetest is run manually.

Comment 9 errata-xmlrpc 2009-03-30 16:52:39 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0402 https://rhn.redhat.com/errata/RHSA-2009-0402.html


Note You need to log in before you can comment on or make changes to this bug.