Vulnerability Alert

Linux Kernel iproute Package Insecure Temporary File Creation Vulnerability

 
Threat Type:CWE-94: Code Injection
IntelliShield ID:25299
Version:3
First Published:2012 February 29 16:16 GMT
Last Published:2013 March 25 15:33 GMT
Port: Not available
CVE:CVE-2012-1088
BugTraq ID:52185
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:4.6 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:3.4
 
Version Summary:MontaVista Software has released a changelog and updated software to address the Linux Kernel iproute package insecure temporary file creation vulnerability.
 
 
Description
The Linux Kernel contains a vulnerability that could allow an unprivileged, local attacker to conduct symbolic link (symlink) attacks.

The vulnerability exists because the kernel fails to impose sufficient security restrictions on temporary files. An unprivileged, local attacker could exploit the vulnerability by creating symbolic links to different system files to gain unauthorized access to these files. The attacker could overwrite these arbitrary files with elevated privileges.

Kernel.org has confirmed the vulnerability in the git repository and software updates are available.
 
Warning Indicators
Linux Kernel versions 2.6.39.rc4 and prior are vulnerable.
 
IntelliShield Analysis
To successfully exploit the vulnerability, the attacker would need local access to the targeted system, which could limit the likelihood of an exploit.

The vulnerability may be mitigated by saving temporary files generated from the build configuration script to the build directory, instead of the /tmp directory.
 
Vendor Announcements
Kernel.org has confirmed the vulnerability at the following link: linux/kernel/git/shemminger/iproute2.git

MontaVista Software has released a changelog for registered users on March 20, 2013 at the following link: MontaVista Security Issues
 
Impact
An unprivileged, local attacker could exploit the vulnerability to use the temporary file symlinks to access arbitrary system files. Access to these files could allow the attacker to overwrite or remove files that may result in unintentional system behavior.
 
Technical Information
The vulnerability exists because the iproute package insecurely creates temporary files in the /tmp folder while checking for ATM technology support, Xtables extension support, setns() system call support, and in the dhcp-client-script example script. Because temporary files in this folder carry insecure file permissions by default, symbolic links to these files could be used to gain elevated privileges to access arbitrary system files.

An unprivileged, local attacker could exploit the vulnerability by crafting the symlinks to temporary files and could overwrite arbitrary system files. Execution of these crafted system files could allow the attacker to execute arbitrary code to perform unintentional system behavior.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to access local systems.

Administrators are advised to enforce strong passwords for local accounts.
 
Patches/Software
Kernel.org has released an updated version at the following link: Linux Kernel 3.0.0 or later

MontaVista Software has released updated software for registered users at the following links:
 
Alert History
 

Version 2, March 18, 2013, 11:49 AM: MontaVista Software has released a changelog and updated software to address the Linux Kernel iproute package insecure temporary file creation vulnerability.

Version 1, February 29, 2012, 11:16 AM: The Linux Kernel contains a vulnerability that could allow an unprivileged, local attacker to conduct symbolic link attacks.  Updates are not available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Linus TorvaldsLinux Kernel 2.6.0 .0 | 2.6.1 .0 | 2.6.2 .0 | 2.6.3 .0 | 2.6.4 .0 | 2.6.5 .0 | 2.6.6 .0 | 2.6.7 .0 | 2.6.8 .0, .1 | 2.6.9 .0 | 2.6.10 .0 | 2.6.11 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12 | 2.6.12 .0, .1, .2, .3, .4, .5, .6 | 2.6.13 .0, .1, .2, .3, .4, .5 | 2.6.14 .0, .1, .2, .3, .4, .5, .6, .7 | 2.6.15 .0, .1, .2, .3, .4, .5, .6, .7 | 2.6.16 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20, .21, .22, .23, .24, .25, .26, .27, .28, .29, .30, .31, .32, .33, .34, .35, .36, .37, .38, .39, .40, .41, .42, .43, .44, .45, .46, .47, .48, .49, .50, .51, .52, .53, .54, .55, .56, .57, .58, .59, .60, .61, .62 | 2.6.17 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14 | 2.6.18 .0, .1, .2, .3, .4, .5, .6, .7, .8 | 2.6.19 .0, .1, .2, .3, .4, .5, .6, .7 | 2.6.20 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20, .21 | 2.6.21 .0, .1, .2, .3, .4, .5, .6, .7 | 2.6.22 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19 | 2.6.23 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17 | 2.6.24 .0, .1, .2, .3, .4, .5, .6, .7 | 2.6.25 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20 | 2.6.26 .0, .1, .2, .3, .4, .5, .6, .7 | 2.6.27 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20, .21, .22, .23, .24, .25, .26, .27, .28, .29, .30, .31, .32, .33, .34, .35, .36, .37, .38, .39, .40, .41, .42, .43, .44, .45, .46, .47, .48, .49, .50, .51, .52, .59, .60 | 2.6.28 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10 | 2.6.29 .0, .1, .2, .3 | 2.6.30 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9 | 2.6.31 Base, .1, .2, .3, .4, .5, .6, .7, .8 | 2.6.32 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20, .21, .22, .23, .24, .25, .26, .27, .28, .29, .30, .31, .32, .33, .34, .35, .36, .37, .38, .39, .40, .41, .42, .43, .44, .45, .46, .47, .48, .49, .50 | 2.6.33 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20 | 2.6.34 Base, .1, .2, .3, .4, .5, .6, .7, .8 | 2.6.35 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14 | 2.6.36 Base, .1, .2, .3 | 2.6.37 Base, .1, .2, .3, .4, .5, .6 | 2.6.38 Base, .1, .2, .3, .4, .5, .6, .7, .8 | 2.6.39 Base, .1, .2, .3, .4

Associated Products:
MontaVistaMontaVista Linux Professional 4.0.1, 5.0, 5.0.24 | Mobilinux 4.0.2, 4.1, 5.0, 5.0.24 | CGE 4.0.1, 5.1




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield