The IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x through 2.6.16, allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files. NOTE: in many distributions and the upstream version, this tool has been disabled.
Weakness
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Openswan | Openswan | 1.0.4 (including) | 1.0.4 (including) |
| Openswan | Openswan | 1.0.5 (including) | 1.0.5 (including) |
| Openswan | Openswan | 1.0.6 (including) | 1.0.6 (including) |
| Openswan | Openswan | 1.0.7 (including) | 1.0.7 (including) |
| Openswan | Openswan | 1.0.8 (including) | 1.0.8 (including) |
| Openswan | Openswan | 1.0.9 (including) | 1.0.9 (including) |
| Openswan | Openswan | 2.1.1 (including) | 2.1.1 (including) |
| Openswan | Openswan | 2.1.2 (including) | 2.1.2 (including) |
| Openswan | Openswan | 2.1.4 (including) | 2.1.4 (including) |
| Openswan | Openswan | 2.1.5 (including) | 2.1.5 (including) |
| Openswan | Openswan | 2.1.6 (including) | 2.1.6 (including) |
| Openswan | Openswan | 2.2 (including) | 2.2 (including) |
| Openswan | Openswan | 2.3 (including) | 2.3 (including) |
| Openswan | Xelerance | 2.3.1 (including) | 2.3.1 (including) |
| Openswan | Xelerance | 2.4.0 (including) | 2.4.0 (including) |
| Openswan | Xelerance | 2.4.1 (including) | 2.4.1 (including) |
| Openswan | Xelerance | 2.4.2 (including) | 2.4.2 (including) |
| Openswan | Xelerance | 2.4.3 (including) | 2.4.3 (including) |
| Openswan | Xelerance | 2.4.4 (including) | 2.4.4 (including) |
| Openswan | Xelerance | 2.4.5 (including) | 2.4.5 (including) |
| Openswan | Xelerance | 2.4.6 (including) | 2.4.6 (including) |
| Openswan | Xelerance | 2.4.7 (including) | 2.4.7 (including) |
| Openswan | Xelerance | 2.4.8 (including) | 2.4.8 (including) |
| Openswan | Xelerance | 2.4.9 (including) | 2.4.9 (including) |
| Openswan | Xelerance | 2.4.10 (including) | 2.4.10 (including) |
| Openswan | Xelerance | 2.4.11 (including) | 2.4.11 (including) |
| Openswan | Xelerance | 2.4.12 (including) | 2.4.12 (including) |
| Openswan | Xelerance | 2.6.03 (including) | 2.6.03 (including) |
| Openswan | Xelerance | 2.6.04 (including) | 2.6.04 (including) |
| Openswan | Xelerance | 2.6.05 (including) | 2.6.05 (including) |
| Openswan | Xelerance | 2.6.06 (including) | 2.6.06 (including) |
| Openswan | Xelerance | 2.6.07 (including) | 2.6.07 (including) |
| Openswan | Xelerance | 2.6.08 (including) | 2.6.08 (including) |
| Openswan | Xelerance | 2.6.09 (including) | 2.6.09 (including) |
| Openswan | Xelerance | 2.6.10 (including) | 2.6.10 (including) |
| Openswan | Xelerance | 2.6.11 (including) | 2.6.11 (including) |
| Openswan | Xelerance | 2.6.12 (including) | 2.6.12 (including) |
| Openswan | Xelerance | 2.6.13 (including) | 2.6.13 (including) |
| Openswan | Xelerance | 2.6.14 (including) | 2.6.14 (including) |
| Openswan | Xelerance | 2.6.15 (including) | 2.6.15 (including) |
| Openswan | Xelerance | 2.6.16 (including) | 2.6.16 (including) |
| Red Hat Enterprise Linux 5 | RedHat | openswan-0:2.6.14-1.el5_3.2 | * |
| Openswan | Ubuntu | dapper | * |
| Openswan | Ubuntu | feisty | * |
| Openswan | Ubuntu | gutsy | * |
| Openswan | Ubuntu | hardy | * |
| Openswan | Ubuntu | upstream | * |
Potential Mitigations
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/132.html
- https://cwe.mitre.org/data/definitions/17.html
- https://cwe.mitre.org/data/definitions/35.html
- https://cwe.mitre.org/data/definitions/76.html
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496374
- http://dev.gentoo.org/~rbu/security/debiantemp/openswan
- http://secunia.com/advisories/34182
- http://secunia.com/advisories/34472
- http://www.debian.org/security/2009/dsa-1760
- http://www.openwall.com/lists/oss-security/2008/10/30/2
- http://www.redhat.com/support/errata/RHSA-2009-0402.html
- http://www.securityfocus.com/archive/1/501624/100/0/threaded
- http://www.securityfocus.com/archive/1/501640/100/0/threaded
- http://www.securityfocus.com/bid/31243
- https://bugs.gentoo.org/show_bug.cgi?id=235770
- https://bugzilla.redhat.com/show_bug.cgi?id=460425
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45250
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10078
- https://www.exploit-db.com/exploits/9135
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496374
- http://dev.gentoo.org/~rbu/security/debiantemp/openswan
- http://secunia.com/advisories/34182
- http://secunia.com/advisories/34472
- http://www.debian.org/security/2009/dsa-1760
- http://www.openwall.com/lists/oss-security/2008/10/30/2
- http://www.redhat.com/support/errata/RHSA-2009-0402.html
- http://www.securityfocus.com/archive/1/501624/100/0/threaded
- http://www.securityfocus.com/archive/1/501640/100/0/threaded
- http://www.securityfocus.com/bid/31243
- https://bugs.gentoo.org/show_bug.cgi?id=235770
- https://bugzilla.redhat.com/show_bug.cgi?id=460425
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45250
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10078
- https://www.exploit-db.com/exploits/9135