Xen xenq-shm symlink

xen-xenqshm-symlink (37403)

Medium Risk

Description:

Xen could allow a local attacker to launch a symlink attack. The xenq-shm file is created with insecure permissions. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to other files on the system, which would allow the attacker to truncate arbitrary files on the system with elevated privileges.

Platforms Affected:

• Debian, Debian Linux 4.0
• MandrakeSoft, Mandrake Linux 2007 X86_64
• MandrakeSoft, Mandrake Linux 2007
• MandrakeSoft, Mandrake Linux 2007.1
• MandrakeSoft, Mandrake Linux 2007.1 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 4.0
• MandrakeSoft, Mandrake Linux Corporate Server 4.0 X86_64
• RedHat, Enterprise Linux 5 Client
• RedHat, Enterprise Linux 5
• RedHat, RHEL Desktop Multi OS 5 Client
• RedHat, RHEL Virtualization 5 Server
• XenSource, Xen 3.1
• XenSource, Xen 3.x

Remedy:

Refer to DSA-1395-1 for patch, upgrade, or workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

File Manipulation

References:

• Debian Bug report logs - #447795, xen-utils-3.0.3-1: [CVE-2007-3919] xenmon.py / xenbaked insecure file accesss at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=447795.
• Xen Web site, Xen at http://xen.xensource.com/.
• BID-26190: Xen 'xenmon.py' and 'xenbaked' Insecure Temporary File Creation Vulnerability
• CVE-2007-3919: (1) xenbaked and (2) xenmon.py in Xen 3.1 and earlier allow local users to truncate arbitrary files via a symlink attack on /tmp/xenq-shm.
• DSA-1395: xen-utils -- insecure temporary files
• FrSIRT/ADV-2007-3621: Xen xenbaked and xenmon Insecure Temporary File Handling Issue
• MDKSA-2007:203: Updated xen packages fix multiple vulnerabilities
• RHSA-2008-0194: Important: xen security and bug fix update
• SA27389: Xen "xenbaked" Insecure Temporary Files
• SECTRACK ID: 1018859: Xen Insecure Temporary File Lets Local Users Truncate Files

Reported:

Oct 23, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page