Vulnerability Note VU#396272
mgetty creates temporary files insecurely
mgetty, a replacement for getty designed to support modem and fax use, creates files of a predictable name in a world-writable directory without checking for the prior existence or ownership of the file. Using a symbolic link attack, an intruder might cause the overwrite of arbitrary files on the system, but the risk of elevated privileges is low.
mgetty uses the faxrunq service to process faxes. This involves use of the world-writable /var/spool/fax/outgoing/ directory to store temporary files. These temporary files are created without checking for prior existence or ownership of the files.
By creating a symbolic link named '.last_run' and pointing towards any existing file, an attacker can cause mgetty to overwrite the file. Since the attacker cannot control the content of the overwritten file, the risk of exploiting this for elevated privileges is low.
Apply vendor patches; see the Systems Affected section below.
Disable the faxrunq service.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Caldera||Affected||10 Jan 2001||13 Sep 2001|
|Debian||Affected||06 Mar 2001||13 Sep 2001|
|FreeBSD||Affected||20 Sep 2000||13 Sep 2001|
|Immunix||Affected||10 Jan 2001||13 Sep 2001|
|MandrakeSoft||Affected||10 Jan 2001||13 Sep 2001|
|RedHat||Affected||18 Sep 2001||20 Sep 2001|
|Apple||Not Affected||18 Sep 2001||20 Sep 2001|
|Cray||Not Affected||18 Sep 2001||27 Sep 2001|
|HP||Not Affected||18 Sep 2001||20 Sep 2001|
|IBM||Not Affected||18 Sep 2001||20 Sep 2001|
|NetBSD||Not Affected||18 Sep 2001||08 Nov 2001|
|OpenBSD||Not Affected||18 Sep 2001||20 Sep 2001|
|SCO||Not Affected||18 Sep 2001||20 Sep 2001|
|BSDI||Unknown||18 Sep 2001||20 Sep 2001|
|Cray||Unknown||18 Sep 2001||20 Sep 2001|
CVSS Metrics (Learn More)
This vulnerability was first identified by Greg Kroah-Hartman of Immunix.
This document was last changed by Tim Shimeall.
- CVE IDs: CAN-2001-0141
- Date Public: 10 Jan 2001
- Date First Published: 01 Oct 2001
- Date Last Updated: 08 Nov 2001
- Severity Metric: 1.13
- Document Revision: 17
If you have feedback, comments, or additional information about this vulnerability, please send us email.