Full Disclosure mailing list archives
Re: [ GLSA 200903-18 ] Openswan: Insecure temporary file creation
From: Paul Wouters <paul () xtdnet nl>
Date: Mon, 9 Mar 2009 21:12:41 +0100 (CET)
On Mon, 9 Mar 2009, Robert Buchholz wrote:
Subject: [ GLSA 200903-18 ] Openswan: Insecure temporary file creation
Once again, thanks to everyone for not contacting the Openswan Project in this matter just like they did not do this 6 months ago when this "vulnerability" came out originally.
Severity: Normal Title: Openswan: Insecure temporary file creation Date: March 09, 2009 Bugs: #238574 ID: 200903-18
An insecure temporary file usage has been reported in Openswan, allowing for symlink attacks.
Dmitry E. Oboukhov reported that the IPSEC livetest tool does not handle the ipseclive.conn and ipsec.olts.remote.log temporary files securely.
A local attacker could perform symlink attacks to execute arbitrary code and overwrite arbitrary files with the privileges of the user running the application.
The ipsec livetest command was never called or used by anything in openswan as it was not finished. Furthermore, it was no longer installed AND explicitely disabled since: commit 4661d345b676d5412a52b6d1289568fc4ab31eac Author: Paul Wouters <paul () xelerance com> Date: Fri Nov 21 23:52:38 2008 -0600 Skip installing livetest when we added: $ head -5 programs/livetest/livetest.in #!/bin/sh echo "currently not used" exit
Workaround ========== There is no known workaround at this time.
The ipsec livetest is not even used by anything within the openswan software. It is never called. No parts of openswan are called without root privs. This whole thing is moot. Please bury it. Or just remove the install of the livetest command in your build environment. Or just ship a newer version of openswanm like 2.6.20 instead of the latest "vulnerable" version in 2.6.16.
Resolution ========== All Openswan users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openswan-2.4.13-r2"
Ahh. gentoo still uses the openswan-2.4.x version which has been EOL since early 2008. Also note that to problematic use was in wget -O. Perhaps one should talk to the wget people about symlink attack in their code instead? Paul _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [ GLSA 200903-18 ] Openswan: Insecure temporary file creation Robert Buchholz (Mar 09)
- Re: [ GLSA 200903-18 ] Openswan: Insecure temporary file creation Paul Wouters (Mar 09)
- Re: [ GLSA 200903-18 ] Openswan: Insecure temporary file creation Robert Buchholz (Mar 10)
- Re: [ GLSA 200903-18 ] Openswan: Insecure temporary file creation Paul Wouters (Mar 09)