The Linux Kernel contains a vulnerability that could allow an unprivileged, local attacker to conduct symbolic link (symlink) attacks.
The vulnerability exists because the kernel fails to impose sufficient security restrictions on temporary files. An unprivileged, local attacker could exploit the vulnerability by creating symbolic links to different system files to gain unauthorized access to these files. The attacker could overwrite these arbitrary files with elevated privileges.
Kernel.org has confirmed the vulnerability in the git repository and software updates are available.
Indicators of Compromise
Linux Kernel versions 2.6.39.rc4 and prior are vulnerable.
The vulnerability exists because the iproute package insecurely creates temporary files in the /tmp folder while checking for ATM technology support, Xtables extension support, setns() system call support, and in the dhcp-client-script example script. Because temporary files in this folder carry insecure file permissions by default, symbolic links to these files could be used to gain elevated privileges to access arbitrary system files.
An unprivileged, local attacker could exploit the vulnerability by crafting the symlinks to temporary files and could overwrite arbitrary system files. Execution of these crafted system files could allow the attacker to execute arbitrary code to perform unintentional system behavior.
To successfully exploit the vulnerability, the attacker would need local access to the targeted system, which could limit the likelihood of an exploit.
The vulnerability may be mitigated by saving temporary files generated from the build configuration script to the build directory, instead of the /tmp directory.
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to access local systems.
Administrators are advised to enforce strong passwords for local accounts.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.