The Openswan's IPSEC livetest tool is prone to symlink attacks. Affected file: /usr/libexec/ipsec/livetest Relevant part of the code: 39 wget -o /dev/null -O /tmp/ipseclive.conn "http://192.168.0.1/olts/?leftid=$leftid&$leftrsasigkey&version=$version" 40 41 sh < /tmp/ipseclive.conn 42 ipsec eroute.pl 43 leftid=`echo $leftid | sed "s/@//"` 44 ipsec whack --delete --name olts-$leftid >> /tmp/ipsec.olts.local.log 45 wget -o /dev/null -O /tmp/ipsec.olts.remote.log "http://192.168.0.1/olts/log.php?leftid=$leftid" A malicious user could precreate symlink to each of the files (tmp/ipseclive.conn, /tmp/ipsec.olts.remote.log), which could allow him to destroy the target of the symlink via running the " # ipsec livetest" command by the superuser of the host. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496374
CVE-2008-4190: The IPSEC livetest tool in Openswan 2.4.4 and earlier allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files.
To extend CVE description, this also affects 2.6.x versions (latest Fedora version is 2.6.16 and is affected by this problem).
This is a bug, but no security issue whatsoever - ipsec livetest is not called by anything anywhere. It is an incomplete feature. - ipsec livetest contains the following code at the start of the script: echo "currently not used" exit
OpenSwan version in all Fedora versions is based on 2.6.19, which does contain "echo & exit". Version shipped in Red Hat Enterprise Linux 5 is still based on 2.6.14, which does not have that, which might get changed in the future updates. Hence this still can be an issue if livetest is run manually.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0402 https://rhn.redhat.com/errata/RHSA-2009-0402.html