Ingres wakeup setuid(ingres) file truncation

2007-06-26T00:00:00
ID SECURITYVULNS:DOC:17344
Type securityvulns
Reporter Securityvulns
Modified 2007-06-26T00:00:00

Description

======= Summary ======= Name: wakeup setuid(ingres) file truncation Release Date: 25 June 2007 Reference: NGS00390 Discover: Chris Anley <chris@ngssoftware.com> Vendor: Ingres Vendor Reference: [Ingres bug 115913, CVE-2007-3337, CAID 35451] Systems Affected: Ingres 2006 9.0.4 and prior Risk: Medium Status: Published

======== TimeLine ======== Discovered: 27 March 2006 Released: 27 March 2006 Approved: 27 March 2006 Reported: 27 March 2006 Fixed: 21 June 2007 Published: 25 June 2007

=========== Description =========== Ingres 2006 is a venerable and functionality-rich RDBMS that has recently been made available under the Gnu Public License (GPL).

A setuid binary, "wakeup", allows any user to truncate any file with the privileges of the "ingres" user.

================= Technical Details ================= The "wakeup" binary creates a file named "alarmwkp.def" in the current directory, truncating the file if already exists. The "wakeup" binary is setuid "ingres" and world-executable, thus any user can truncate a file with the privileges of the "ingres" user by creating a symbolic link in the current directory.

=============== Fix Information =============== Ingres issued a patch for this issue on the 21st June 2007.

Further details are available at http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp

Note that this issue affects a wide range of Computer Associates products. A list of these products is available at http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778

The affected products are listed below:

Advantage Data Transformer r2.2 AllFusion Enterprise Workbench r1.1, 1.1 SP1, r7, r7.1 AllFusion Harvest Change Manager r7, r7.1 BrightStor ARCserve Backup v9 (Linux only), r11.1, r11.5 (Unix, Linux and Mainframe Linux) BrightStor ARCserve Backup for Laptops and Desktops r11.5 BrightStor Enterprise Backup (Unix only) r10.5 BrightStor Storage Command Center r11.5 BrightStor Storage Resource Manager r11.5 CleverPath Aion Business Rules Expert r10.1 CleverPath Aion Business Process Monitoring r10.1 CleverPath Predictive Analysis Server r3 DocServer 1.1 eTrust Admin v8, v8.1, r8.1 SP1, r8.1 SP2 eTrust Audit r8 SP2 eTrust Directory r8.1 eTrust IAM Suite r8.0 eTrust IAM Toolkit r8.0, r8.1 eTrust Identity Manager r8.1 eTrust Network Forensics r8.1 eTrust Secure Content Manager r8 eTrust Single Sign-On r7, r8, r8.1 eTrust Web Access Control 1.0 Unicenter Advanced Systems Management r11 Unicenter Asset Intelligence r11 Unicenter Asset Management r11 Unicenter Asset Portfolio Management r11.2.1, r11.3 Unicenter CCS r11 Unicenter Database Command Center r11.1 Unicenter Desktop and Server Management r11 Unicenter Desktop Management Suite r11 Unicenter Enterprise Job Manager r1 SP3, r1 SP4 Unicenter Job Management Option r11 Unicenter Lightweight Portal 2 Unicenter Management Portal r3.1.1 Unicenter Network and Systems Management r3.0, r11 Unicenter Network and Systems Management - Tiered - Multi Platform r3.0 0305, r3.1 0403, r11.0 Unicenter Patch Management r11 Unicenter Remote Control 6, r11 Unicenter Service Accounting r11, r11.1 Unicenter Service Assure r2.2, r11, r11.1 Unicenter Service Catalog r11, r11.1 Unicenter Service Delivery r11.0, r11.1 Unicenter Service Intelligence r11 Unicenter Service Metric Analysis r3.0.2, r3.5, r11, r11.1 Unicenter ServicePlus Service Desk 5.5 SP3, 6.0, 6.0 SP1, r11, r11.1, r11.2 Unicenter Software Delivery r11 Unicenter TNG 2.4, 2.4.2, 2.4.2J Unicenter Workload Control Center r1 SP3, r1 SP4 Unicenter Web Services Distributed Management 3.11, 3.50 Wily SOA Manager 7.1

NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070 -- E-MAIL DISCLAIMER

The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402