mgetty creates temporary files insecurely

Overview

mgetty, a replacement for getty designed to support modem and fax use, creates files of a predictable name in a world-writable directory without checking for the prior existence or ownership of the file. Using a symbolic link attack, an intruder might cause the overwrite of arbitrary files on the system, but the risk of elevated privileges is low.

Description

mgetty uses the faxrunq service to process faxes. This involves use of the world-writable /var/spool/fax/outgoing/ directory to store temporary files. These temporary files are created without checking for prior existence or ownership of the files.

---

Impact

By creating a symbolic link named ‘.last_run’ and pointing towards any existing file, an attacker can cause mgetty to overwrite the file. Since the attacker cannot control the content of the overwritten file, the risk of exploiting this for elevated privileges is low.

---

Solution

Apply vendor patches; see the Systems Affected section below.

---

Disable the faxrunq service.

---

Vendor Information

396272

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Caldera __ Affected

Notified: January 10, 2001 Updated: September 13, 2001

Status

Affected

Vendor Statement

<http://www.caldera.com/support/security/advisories/CSSA-2001-002.0.txt&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

Debian __ Affected

Notified: March 06, 2001 Updated: September 13, 2001

Status

Affected

Vendor Statement

http://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00000.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

FreeBSD __ Affected

Notified: September 20, 2000 Updated: September 13, 2001

Status

Affected

Vendor Statement

<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:71.mgetty.asc&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

Immunix __ Affected

Notified: January 10, 2001 Updated: September 13, 2001

Status

Affected

Vendor Statement

<http://www.linuxsecurity.com/advisories/other_advisory-1034.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

MandrakeSoft __ Affected

Notified: January 10, 2001 Updated: September 13, 2001

Status

Affected

Vendor Statement

<http://www.linux-mandrake.com/en/updates/2001/MDKSA-2001-009.php3?dis=6.1&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

RedHat __ Affected

Notified: September 18, 2001 Updated: September 20, 2001

Status

Affected

Vendor Statement

<http://www.redhat.com/support/errata/RHSA-2001-050.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

Apple __ Not Affected

Notified: September 18, 2001 Updated: September 20, 2001

Status

Not Affected

Vendor Statement

Mac OS X does not contain mgetty, and is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

Cray __ Not Affected

Notified: September 18, 2001 Updated: September 27, 2001

Status

Not Affected

Vendor Statement

Cray, Inc. does not provide mgetty with its operating system software so we are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

HP __ Not Affected

Notified: September 18, 2001 Updated: September 20, 2001

Status

Not Affected

Vendor Statement

HP-UX is not effected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

IBM __ Not Affected

Notified: September 18, 2001 Updated: September 20, 2001

Status

Not Affected

Vendor Statement

IBM’s AIX operating system does not include mgetty and the faxrunq service, so AIX is not vulnerable to the exploit described.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

NetBSD __ Not Affected

Notified: September 18, 2001 Updated: November 08, 2001

Status

Not Affected

Vendor Statement

NetBSD does not ship with mgetty as part of the base distribution, but it is available as an optional third-party package. We did distribute a package with a vulnerable version (less that 1.1.22). We do not intend to release a specific vulnerability notice, but we do have other means of notifying users of our third party packages about vulnerabilities in said packages (the “audit-packages” system).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

OpenBSD __ Not Affected

Notified: September 18, 2001 Updated: September 20, 2001

Status

Not Affected

Vendor Statement

OpenBSD does not use mgetty.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

SCO __ Not Affected

Notified: September 18, 2001 Updated: September 20, 2001

Status

Not Affected

Vendor Statement

Caldera’s UNIX products (OpenServer, UnixWare, Open Unix) do not ship mgetty.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

BSDI Unknown

Notified: September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

Cray Unknown

Notified: September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

DEC Unknown

Notified: September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

Data General Unknown

Notified: September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

Fujitsu Unknown

Notified: September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

NEC Unknown

Notified: September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

NeXT Unknown

Notified: September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

SGI Unknown

Notified: September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

Sequent Unknown

Notified: September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

Sony Unknown

Notified: September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

Sun Unknown

Notified: September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

Unisys Unknown

Notified: September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396272 Feedback>).

View all 25 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/2187&gt;
• <http://www.caldera.com/support/security/advisories/CSSA-2001-002.0.txt&gt;
• <http://www.linuxsecurity.com/advisories/caldera_advisory-1059.html&gt;
• <http://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00000.html&gt;
• <http://www.linuxsecurity.com/advisories/debian_advisory-1184.html&gt;
• <ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:71.mgetty.asc&gt;
• <http://www.linuxsecurity.com/advisories/freebsd_advisory-894.html&gt;
• <http://www.redhat.com/support/errata/RHSA-2001-050.html&gt;
• <http://www.linuxsecurity.com/advisories/redhat_advisory-1321.html&gt;
• <http://www.linux-mandrake.com/en/updates/2001/MDKSA-2001-009.php3?dis=6.1&gt;
• <http://www.linuxsecurity.com/advisories/other_advisory-1034.html&gt;

Acknowledgements

This vulnerability was first identified by Greg Kroah-Hartman of Immunix.

This document was last changed by Tim Shimeall.

Other Information

CVE IDs:	CVE-2001-0141
Severity Metric:	1.13 Date Public: