Vulnerability Note VU#655259

OpenSSH allows arbitrary file deletion via symlink redirection of temporary file

Original Release date: 21 Aug 2001 | Last revised: 15 Nov 2001

Overview

Due to insecure handling of temporary files, some versions of sshd, an encrypted connection program, can delete any file named "cookies" accessible via the computer running sshd.

Description

sshd is the server software used to support ssh, a popular encryted connection program. Some versions of OpenSSH fail to handle temporary files in a secure fashion, allowing their removal during an ssh session. This removal may be reflected in the removal of files named "cookies" on the server. Since sshd runs setuid root, ownership and protection of the "cookies" file will be disregarded.

Impact

Using this exploit, an attacker may cause loss of data, particularly web location data used in many web sites.

Solution

Apply vendor patches; see the Systems Affected section below.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
CalderaAffected03 Jul 200109 Aug 2001
ConectivaAffected04 Jun 200115 Nov 2001
ImmunixAffected04 Jun 200115 Nov 2001
NetBSDAffected-31 Jul 2001
OpenBSDAffected12 Jun 200121 Aug 2001
OpenSSHAffected12 Jun 200121 Aug 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was initially reported on the Bugtraq discussion list.

This document was last modified by Tim Shimeall.

Other Information

  • CVE IDs: CAN-2001-0529
  • Date Public: 12 Jun 2001
  • Date First Published: 21 Aug 2001
  • Date Last Updated: 15 Nov 2001
  • Severity Metric: 0.76
  • Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.