CVE-2018-19044 - OpenCVE

keepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.

No CVSS v3.1

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:N/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Keepalived	Keepalived

Configuration 1 [-]

cpe:2.3:a:keepalived:keepalived:2.0.8:*:*:*:*:*:*:*

References

Link	Resource
https://access.redhat.com/errata/RHSA-2019:2285
https://bugzilla.suse.com/show_bug.cgi?id=1015141	Issue Tracking Third Party Advisory
https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306	Patch Third Party Advisory
https://github.com/acassen/keepalived/issues/1048	Exploit Patch Third Party Advisory
https://security.gentoo.org/glsa/201903-01	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-11-08T20:00:00

Updated: 2019-08-06T16:06:34

Reserved: 2018-11-06T00:00:00

Link: CVE-2018-19044

JSON object: View

NVD Information

Status : Modified

Published: 2018-11-08T20:29:00.323

Modified: 2019-08-06T17:15:32.430

Link: CVE-2018-19044

JSON object: View

Redhat Information

No data.

CWE

CWE-59

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-11-08T00:00:00", "descriptions": [{"lang": "en", "value": "keepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-06T16:06:34", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306"}, {"name": "GLSA-201903-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201903-01"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1015141"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/acassen/keepalived/issues/1048"}, {"name": "RHSA-2019:2285", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2285"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-19044", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "keepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306", "refsource": "MISC", "url": "https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306"}, {"name": "GLSA-201903-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201903-01"}, {"name": "https://bugzilla.suse.com/show_bug.cgi?id=1015141", "refsource": "MISC", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1015141"}, {"name": "https://github.com/acassen/keepalived/issues/1048", "refsource": "MISC", "url": "https://github.com/acassen/keepalived/issues/1048"}, {"name": "RHSA-2019:2285", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2285"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-19044", "datePublished": "2018-11-08T20:00:00", "dateReserved": "2018-11-06T00:00:00", "dateUpdated": "2019-08-06T16:06:34", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:keepalived:keepalived:2.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "41629AA7-851D-438F-8836-0574E4912DF1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "keepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd."}, {"lang": "es", "value": "keepalived 2.0.8 no buscaba nombres de ruta con enlaces simb\u00f3licos al escribir datos en un archivo temporal al llamar a PrintData o PrintStats. Esto permit\u00eda a los usuarios locales sobrescribir archivos arbitrarios si fs.protected_symlinks se establece en 0, tal y como lo demuestra un enlace simb\u00f3lico desde /tmp/keepalived.data o /tmp/keepalived.stats a /etc/passwd."}], "id": "CVE-2018-19044", "lastModified": "2019-08-06T17:15:32.430", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-11-08T20:29:00.323", "references": [{"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:2285"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1015141"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/acassen/keepalived/issues/1048"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201903-01"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}]}