Vulnerabilities > CVE-2004-0647 - Unspecified vulnerability in Shorewall
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
shorewall 1.4.10c and earlier, and 2.0.x before 2.0.3a, allows local users to overwrite arbitrary files via a symlink attack on the chains-$$ temporary file.
Vulnerable Configurations
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200407-07.NASL description The remote host is affected by the vulnerability described in GLSA-200407-07 (Shorewall : Insecure temp file handling) Shorewall uses temporary files and directories in an insecure manner. A local user could create symbolic links at specific locations, eventually overwriting other files on the filesystem with the rights of the shorewall process. Impact : An attacker could exploit this vulnerability to overwrite arbitrary system files with root privileges, resulting in Denial of Service or further exploitation. Workaround : There is no known workaround at this time. All users should upgrade to the latest available version of Shorewall. last seen 2020-06-01 modified 2020-06-02 plugin id 14540 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14540 title GLSA-200407-07 : Shorewall : Insecure temp file handling code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200407-07. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(14540); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-0647"); script_xref(name:"GLSA", value:"200407-07"); script_name(english:"GLSA-200407-07 : Shorewall : Insecure temp file handling"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200407-07 (Shorewall : Insecure temp file handling) Shorewall uses temporary files and directories in an insecure manner. A local user could create symbolic links at specific locations, eventually overwriting other files on the filesystem with the rights of the shorewall process. Impact : An attacker could exploit this vulnerability to overwrite arbitrary system files with root privileges, resulting in Denial of Service or further exploitation. Workaround : There is no known workaround at this time. All users should upgrade to the latest available version of Shorewall." ); # http://lists.shorewall.net/pipermail/shorewall-announce/2004-June/000385.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3206be45" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200407-07" ); script_set_attribute( attribute:"solution", value: "All users should upgrade to the latest available version of Shorewall, as follows: # emerge sync # emerge -pv '>=net-firewall/shorewall-1.4.10f' # emerge '>=net-firewall/shorewall-1.4.10f'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:shorewall"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/30"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/06/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-firewall/shorewall", unaffected:make_list("ge 1.4.10f"), vulnerable:make_list("le 1.4.10c"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Shorewall "); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-080.NASL description The shorewall package has a vulnerability when creating temporary files and directories, which could allow non-root users to overwrite arbitrary files on the system. The updated packages are patched to fix the problem. As well, for Mandrakelinux 10.0, the updated packages have been fixed to start shorewall after the network, rather than before. After updating the package, if shorewall was previously running, you may need to issue a last seen 2020-06-01 modified 2020-06-02 plugin id 14329 published 2004-08-22 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14329 title Mandrake Linux Security Advisory : shorewall (MDKSA-2004:080) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2004:080. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14329); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-0647"); script_xref(name:"MDKSA", value:"2004:080"); script_name(english:"Mandrake Linux Security Advisory : shorewall (MDKSA-2004:080)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The shorewall package has a vulnerability when creating temporary files and directories, which could allow non-root users to overwrite arbitrary files on the system. The updated packages are patched to fix the problem. As well, for Mandrakelinux 10.0, the updated packages have been fixed to start shorewall after the network, rather than before. After updating the package, if shorewall was previously running, you may need to issue a 'service shorewall restart'." ); # http://lists.shorewall.net/pipermail/shorewall-announce/2004-June/000385.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3206be45" ); script_set_attribute( attribute:"solution", value:"Update the affected shorewall and / or shorewall-doc packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:shorewall"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:shorewall-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"shorewall-2.0.1-3.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"shorewall-2.0.1-3.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"shorewall-doc-2.0.1-3.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"shorewall-doc-2.0.1-3.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", reference:"shorewall-1.3.14-3.1.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", reference:"shorewall-doc-1.3.14-3.1.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"shorewall-1.4.8-2.2.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"shorewall-1.4.8-2.2.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"shorewall-doc-1.4.8-2.2.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"shorewall-doc-1.4.8-2.2.92mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");