Title: Tripwire Insecure Temporary File Symbolic Link Vulnerability
Severity: MODERATE
Description:
Tripwire is an open source host-based intrusion detection system actively maintained by the Tripwire Development Team.
A problem in the software makes it possible to launch symbolic link attacks on an affected system. This vulnerability may be exploited to arbitrarily overwrite root-owned files, resulting in a denial of service, or potentially to gain elevated privileges. The problem is in the insecure handling of temporary files by the Tripwire program.
During normal operation, Tripwire traverses system directories and builds a database of current files. The program then checks attributes of these files such as unix filesystem attributes and message digest hashes against an existing database, verifying the integrity of the system files.
When Tripwire searches the directories, it creates files in the /tmp directory insecurely; Tripwire fails to use the O_EXCL flag with the O_CREAT flag prior to attempting to create a file. Additionally, the program uses the mktemp() system call, rather than the more secure mkstemp() system call for the creation of the tempfile.
This makes it possible for a local attacker to guess the filename of a future temporary file, and create a range of symbolic links that could be used to overwrite root-owned files.
Affected Products:
- Tripwire Tripwire 1.3.1
- Tripwire Tripwire 2.2.1
- Tripwire Tripwire 2.3.0.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
