|
Feeds -
Exploits
|
|
Written by Dmitry E. Oboukhov
|
|
Monday, 30 March 2009 22:14 |
Openswan IPsec Livetest Insecure Temporary File Creation Vulnerability
-\\Bugtraq ID:
31243
-\\Class:
Design Error
-\\CVE:
CVE-2008-4190
-\\Remote:
No
-\\Local:
Yes
-\\Published:
Aug 24 2008 12:00AM
-\\Updated:
Mar 30 2009 09:06PM
-\\Credit:
Dmitry E. Oboukhov
-\\Vulnerable:
RedHat Fedora 9 0
RedHat Fedora 8 0
RedHat Enterprise Linux Desktop 5 client
RedHat Enterprise Linux 5 server
Openswan Openswan 2.6.16
Openswan Openswan 2.4.4
Openswan Openswan 2.4.2
Openswan Openswan 2.4
Openswan Openswan 2.3.1
Openswan Openswan 2.3
Openswan Openswan 2.2
Openswan Openswan 2.1.6
Openswan Openswan 2.1.5
+ RedHat Fedora Core3
Openswan Openswan 2.1.4
Openswan Openswan 2.1.2
Openswan Openswan 2.1.1
Openswan Openswan 1.0.9
Openswan Openswan 1.0.8
Openswan Openswan 1.0.7
Openswan Openswan 1.0.6
Openswan Openswan 1.0.5
Openswan Openswan 1.0.4
Gentoo Linux
Debian Linux 4.0 sparc
Debian Linux 4.0 s/390
Debian Linux 4.0 powerpc
Debian Linux 4.0 mipsel
Debian Linux 4.0 mips
Debian Linux 4.0 m68k
Debian Linux 4.0 ia-64
Debian Linux 4.0 ia-32
Debian Linux 4.0 hppa
Debian Linux 4.0 arm
Debian Linux 4.0 amd64
Debian Linux 4.0 alpha
Debian Linux 4.0
-\\Not Vulnerable:
Openswan Openswan 2.6.20
-\\Discussion
Openswan creates temporary files in an insecure manner.
An attacker with local access could potentially exploit these issues to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.
Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.
UPDATE (March 9, 2009): The vendor disputes the validity of this issue, stating that the vulnerable code was incomplete and never run from within the application. The vendor also reports that the latest version of Openswan has disabled the offending code.
-\\Exploit(s)/PoC(s):
An attacker uses readily available commands to exploit this issue.
-\\Solution
Updates are available. Please see the references for more information.
Note (Mar 9, 2009): The vendor disputes the validity of this issue stating the vulnerable code was incomplete and never run from within the application. The vendor also reports that the latest version of Openswan has disabled the offending code and is not vulnerable.
-\\References(s)
--Bug 460425 - openswan: Insecure auxiliary /tmp file usage (symlink attack possi
https://bugzilla.redhat.com/show_bug.cgi?id=46042 (Red Hat)
--Debian Bug report logs - #496421
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=49642 (Debian)
--The possibility of attack with the help of symlinks in some Debian packages
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=49637 ("Dmitry E. Oboukhov" <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Re: [ GLSA 200903-18 ] Openswan: Insecure temporary file creation
http://www.securityfocus.com/archive/1/50162 (Paul Wouters <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Re: [ GLSA 200903-18 ] Openswan: Insecure temporary file creation
http://www.securityfocus.com/archive/1/50164 (Robert Buchholz <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
|
