CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
EPSS
Percentile
5.1%
openCryptoki 2.4.1 allows local users to create or set world-writable
permissions on arbitrary files via a symlink attack on the (1)
LCK…opencryptoki or (2) LCK…opencryptoki_stdll file in /var/lock/.
Author | Note |
---|---|
mdeslaur | 2.4.1 moved lock files from /tmp to /var/lock, but /var/lock is world writable on certain distros, such as debian and ubuntu. 2.4.2 moved them to /var/lock/opencryptoki members of the pkcs11 group are considered trusted by upstream and can escalate privileges to root even after the upstream patches. See oss-security discussion. Moving this to /var/lock/opencryptoki makes the problem worse for members of the pkcs11 group as that directory wouldn’t be covered by symlink restrictions. Fix shouldn’t be applied to natty+ Fixing this in lucid would only prevent users who are not in the pkcs11 group from escalating permissions. Since it is likely that local users that have this installed are in that group, this is downgraded to low. |