Red Hat Bugzilla – Bug 460425
CVE-2008-4190 openswan: Insecure auxiliary /tmp file usage (symlink attack possible)
Last modified: 2009-03-30 13:01:23 EDT
The Openswan's IPSEC livetest tool is prone to symlink attacks.
Affected file: /usr/libexec/ipsec/livetest
Relevant part of the code:
39 wget -o /dev/null -O /tmp/ipseclive.conn "http://192.168.0.1/olts/?leftid=$leftid&$leftrsasigkey&version=$version"
41 sh < /tmp/ipseclive.conn
42 ipsec eroute.pl
43 leftid=`echo $leftid | sed "s/@//"`
44 ipsec whack --delete --name olts-$leftid >> /tmp/ipsec.olts.local.log
45 wget -o /dev/null -O /tmp/ipsec.olts.remote.log "http://192.168.0.1/olts/log.php?leftid=$leftid"
A malicious user could precreate symlink to each of the files
(tmp/ipseclive.conn, /tmp/ipsec.olts.remote.log), which could allow
him to destroy the target of the symlink via running the
" # ipsec livetest" command by the superuser of the host.
The IPSEC livetest tool in Openswan 2.4.4 and earlier allows local
users to overwrite arbitrary files and execute arbitrary code via a
symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log
To extend CVE description, this also affects 2.6.x versions (latest Fedora version is 2.6.16 and is affected by this problem).
This is a bug, but no security issue whatsoever
- ipsec livetest is not called by anything anywhere. It is an incomplete feature.
- ipsec livetest contains the following code at the start of the script:
echo "currently not used"
OpenSwan version in all Fedora versions is based on 2.6.19, which does contain "echo & exit". Version shipped in Red Hat Enterprise Linux 5 is still based on 2.6.14, which does not have that, which might get changed in the future updates. Hence this still can be an issue if livetest is run manually.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2009:0402 https://rhn.redhat.com/errata/RHSA-2009-0402.html