search menu icon-carat-right cmu-wordmark

CERT Coordination Center


mgetty creates temporary files insecurely

Vulnerability Note VU#396272

Original Release Date: 2001-10-01 | Last Revised: 2001-11-08

Overview

mgetty, a replacement for getty designed to support modem and fax use, creates files of a predictable name in a world-writable directory without checking for the prior existence or ownership of the file. Using a symbolic link attack, an intruder might cause the overwrite of arbitrary files on the system, but the risk of elevated privileges is low.

Description

mgetty uses the faxrunq service to process faxes. This involves use of the world-writable /var/spool/fax/outgoing/ directory to store temporary files. These temporary files are created without checking for prior existence or ownership of the files.

Impact

By creating a symbolic link named '.last_run' and pointing towards any existing file, an attacker can cause mgetty to overwrite the file. Since the attacker cannot control the content of the overwritten file, the risk of exploiting this for elevated privileges is low.

Solution

Apply vendor patches; see the Systems Affected section below.

Disable the faxrunq service.

Vendor Information

396272
Expand all

Caldera

Notified:  January 10, 2001 Updated:  September 13, 2001

Status

  Vulnerable

Vendor Statement

http://www.caldera.com/support/security/advisories/CSSA-2001-002.0.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  March 06, 2001 Updated:  September 13, 2001

Status

  Vulnerable

Vendor Statement

http://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00000.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  September 20, 2000 Updated:  September 13, 2001

Status

  Vulnerable

Vendor Statement

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:71.mgetty.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Immunix

Notified:  January 10, 2001 Updated:  September 13, 2001

Status

  Vulnerable

Vendor Statement

http://www.linuxsecurity.com/advisories/other_advisory-1034.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  January 10, 2001 Updated:  September 13, 2001

Status

  Vulnerable

Vendor Statement

http://www.linux-mandrake.com/en/updates/2001/MDKSA-2001-009.php3?dis=6.1

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RedHat

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Vulnerable

Vendor Statement

http://www.redhat.com/support/errata/RHSA-2001-050.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Not Vulnerable

Vendor Statement

Mac OS X does not contain mgetty, and is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray

Notified:  September 18, 2001 Updated:  September 27, 2001

Status

  Not Vulnerable

Vendor Statement

Cray, Inc. does not provide mgetty with its operating system software so we are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

HP

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Not Vulnerable

Vendor Statement

HP-UX is not effected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Not Vulnerable

Vendor Statement

IBM's AIX operating system does not include mgetty and the faxrunq service, so AIX is not vulnerable to the exploit described.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  September 18, 2001 Updated:  November 08, 2001

Status

  Not Vulnerable

Vendor Statement

NetBSD does not ship with mgetty as part of the base distribution, but it is available as an optional third-party package. We did distribute a package with a vulnerable version (less that 1.1.22). We do not intend to release a specific vulnerability notice, but we do have other means of notifying users of our third party packages about vulnerabilities in said packages (the "audit-packages" system).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Not Vulnerable

Vendor Statement

OpenBSD does not use mgetty.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Not Vulnerable

Vendor Statement

Caldera's UNIX products (OpenServer, UnixWare, Open Unix) do not ship mgetty.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

DEC

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NeXT

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  September 18, 2001 Updated:  September 20, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was first identified by Greg Kroah-Hartman of Immunix.

This document was last changed by Tim Shimeall.

Other Information

CVE IDs: CVE-2001-0141
Severity Metric: 1.13
Date Public: 2001-01-10
Date First Published: 2001-10-01
Date Last Updated: 2001-11-08 18:10 UTC
Document Revision: 17

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.