oss-security September 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE Request -- openvas-scanner

Re: [oss-security] CVE Request -- openvas-scanner -- Insecure temporary file use by generation of an OVAL system characteristics document, when ovaldi support enabled

From: Josh Bressers <bressers_at_nospam>
Date: Fri Sep 09 2011 - 17:45:03 GMT
To: oss-security@lists.openwall.com

Let's go with one ID. I don't see a reason to split these.

Use CVE-2011-3351

Thanks.

-- JB ----- Original Message ----- > On Wednesday 07 Sep 2011 13:13:45 Jan Lieskovsky wrote: > > Hello Josh, Steve, vendors, > > > > it was reported that the scanner module for the Open > > Vulnerability > > Assessment System (OpenVAS) used insecure way for creation of a > > temporary file, when generating OVAL system characteristics document > > from the knowledge base data available, with the ovaldi integrated > > tool > > enabled. A local attacker could use this flaw to conduct symlink > > attacks to overwrite arbitrary files on the system, accessible with > > the > > privileges of the user running the SLAD daemon and / or the ovaldi > > OVAL > > interpreter. > > > > Whilst having a look at the code with regard to the recently reported > f-d > issue with OpenVAS, the handling of sc-out.xml in the very same > function also > looks insecure. It also doesn't appear to care about races either and > I'm > also curious as to whether you can control the contents at all (think > attacks > against the ovaldi XML parser). I would suggest that this code needs > properly > auditing or removing. > > Unfortunately the interaction with sc-out.xml happens before > privileges are > dropped so the malicious activitity occurs as the openvas-scanner user > (normally root) rather than nobody as in the case of results.xml - The > call to > unlink referenced in the f-d email is actually a misnomer as it will > actually > only delete the file from /tmp and not whatever it may or may not have > pointed > to and the actual writing to the newly race created symlink actually > happens > within the ovaldi binary which is spawned as nobody AFAIK. > > Josh/oss-security folk, can I get a CVE for both bugs please. Will we > need to > split out the two race conditions as separate CVE? The OpenVAS > advisory will > cover both the originally reported nobody case as well as the root > case > referenced above. > > Tim > -- > Tim Brown > <mailto:timb@openvas.org> > <http://www.openvas.org/>