Vulnerabilities > CVE-2020-8019 - UNIX Symbolic Link (Symlink) Following vulnerability in Oneidentity Syslog-Ng

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

oneidentity

CWE-61

nessus

NVD

Published: 2020-06-29

Updated: 2020-07-09

Summary

A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of syslog-ng of SUSE Linux Enterprise Debuginfo 11-SP3, SUSE Linux Enterprise Debuginfo 11-SP4, SUSE Linux Enterprise Module for Legacy Software 12, SUSE Linux Enterprise Point of Sale 11-SP3, SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Linux Enterprise Server for SAP 12-SP1; openSUSE Backports SLE-15-SP1, openSUSE Leap 15.1 allowed local attackers controlling the user news to escalate their privileges to root. This issue affects: SUSE Linux Enterprise Debuginfo 11-SP3 syslog-ng versions prior to 2.0.9-27.34.40.5.1. SUSE Linux Enterprise Debuginfo 11-SP4 syslog-ng versions prior to 2.0.9-27.34.40.5.1. SUSE Linux Enterprise Module for Legacy Software 12 syslog-ng versions prior to 3.6.4-12.8.1. SUSE Linux Enterprise Point of Sale 11-SP3 syslog-ng versions prior to 2.0.9-27.34.40.5.1. SUSE Linux Enterprise Server 11-SP4-LTSS syslog-ng versions prior to 2.0.9-27.34.40.5.1. SUSE Linux Enterprise Server for SAP 12-SP1 syslog-ng versions prior to 3.6.4-12.8.1. openSUSE Backports SLE-15-SP1 syslog-ng versions prior to 3.19.1-bp151.4.6.1. openSUSE Leap 15.1 syslog-ng versions prior to 3.19.1-lp151.3.6.1.

Vulnerable Configurations

Part	Description	Count
Application	Oneidentity Oneidentity Syslog NG - Oneidentity Syslog NG 1.4.0 Oneidentity Syslog NG 1.4.7 Oneidentity Syslog NG 1.4.8 Oneidentity Syslog NG 1.4.9 Oneidentity Syslog NG 1.4.10 Oneidentity Syslog NG 1.4.15 Oneidentity Syslog NG 1.5.15 Oneidentity Syslog NG 1.5.20 Oneidentity Syslog NG 2.0 Oneidentity Syslog NG 2.0.9 Oneidentity Syslog NG 2.0.9-27.34.40.5.1 Oneidentity Syslog NG 3.0 Oneidentity Syslog NG 3.0.1 Oneidentity Syslog NG 3.0.2 Oneidentity Syslog NG 3.0.3 Oneidentity Syslog NG 3.0.4 Oneidentity Syslog NG 3.0.5 Oneidentity Syslog NG 3.0.8 Oneidentity Syslog NG 3.1 Oneidentity Syslog NG 3.1.0 Oneidentity Syslog NG 3.2 Oneidentity Syslog NG 3.2.1 Oneidentity Syslog NG 3.2.2 Oneidentity Syslog NG 3.2.4 Oneidentity Syslog NG 3.3.0 Oneidentity Syslog NG 3.3.1 Oneidentity Syslog NG 3.3.2 Oneidentity Syslog NG 3.3.3 Oneidentity Syslog NG 3.3.4 Oneidentity Syslog NG 3.3.5 Oneidentity Syslog NG 3.3.5.90 Oneidentity Syslog NG 3.3.6 Oneidentity Syslog NG 3.3.6.90 Oneidentity Syslog NG 3.3.6.91 Oneidentity Syslog NG 3.3.7 Oneidentity Syslog NG 3.3.8 Oneidentity Syslog NG 3.3.9 Oneidentity Syslog NG 3.3.10 Oneidentity Syslog NG 3.3.11 Oneidentity Syslog NG 3.4.0 Oneidentity Syslog NG 3.4.1 Oneidentity Syslog NG 3.4.2 Oneidentity Syslog NG 3.4.3 Oneidentity Syslog NG 3.4.4 Oneidentity Syslog NG 3.4.5 Oneidentity Syslog NG 3.4.6 Oneidentity Syslog NG 3.4.7 Oneidentity Syslog NG 3.4.8 Oneidentity Syslog NG 3.5.0 Oneidentity Syslog NG 3.5.1 Oneidentity Syslog NG 3.5.2 Oneidentity Syslog NG 3.5.3 Oneidentity Syslog NG 3.5.4 Oneidentity Syslog NG 3.5.4.1 Oneidentity Syslog NG 3.5.5 Oneidentity Syslog NG 3.5.6 Oneidentity Syslog NG 3.6.0 Oneidentity Syslog NG 3.6.1 Oneidentity Syslog NG 3.6.2 Oneidentity Syslog NG 3.6.3 Oneidentity Syslog NG 3.6.4 Oneidentity Syslog NG 3.6.4-12.8.1 Oneidentity Syslog NG 3.7.0 Oneidentity Syslog NG 3.7.1 Oneidentity Syslog NG 3.7.2 Oneidentity Syslog NG 3.7.3 Oneidentity Syslog NG 3.8.0 Oneidentity Syslog NG 3.8.1 Oneidentity Syslog NG 3.9.1 Oneidentity Syslog NG 3.10.1 Oneidentity Syslog NG 3.11.1 Oneidentity Syslog NG 3.12.1 Oneidentity Syslog NG 3.13.1 Oneidentity Syslog NG 3.13.2 Oneidentity Syslog NG 3.14.1 Oneidentity Syslog NG 3.15.1 Oneidentity Syslog NG 3.16.1 Oneidentity Syslog NG 3.17.1 Oneidentity Syslog NG 3.17.2 Oneidentity Syslog NG 3.18.1 Oneidentity Syslog NG 3.19.1 Oneidentity Syslog NG 3.19.1-Bp151.4.6.1	112
Application	Suse Suse Linux Enterprise Debuginfo 11 Suse Linux Enterprise Module FOR Legacy 12 Suse Linux Enterprise Point OF Sale 11	4
Application	Opensuse Opensuse Backports SLE 15.0	1
OS	Suse Suse Linux Enterprise Server 11 Suse Linux Enterprise Server 12	2
OS	Opensuse Opensuse Leap 15.1	1

Common Weakness Enumeration (CWE)

CWE-61 - UNIX Symbolic Link (Symlink) Following

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to her. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file she will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.

Nessus

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2020-1221-1.NASL
description	This update for syslog-ng fixes the following issues : CVE-2020-8019: Fixed a local privilege escalation during package update (bsc#1169385). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-16
modified	2020-05-15
plugin id	136657
published	2020-05-15
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136657
title	SUSE SLES12 Security Update : syslog-ng (SUSE-SU-2020:1221-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2020:1221-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(136657); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/14"); script_cve_id("CVE-2020-8019"); script_name(english:"SUSE SLES12 Security Update : syslog-ng (SUSE-SU-2020:1221-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for syslog-ng fixes the following issues : CVE-2020-8019: Fixed a local privilege escalation during package update (bsc#1169385). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1169385" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-8019/" ); # https://www.suse.com/support/update/announcement/2020/suse-su-20201221-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1bccdbdc" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server for SAP 12-SP1 : zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1221=1 SUSE Linux Enterprise Module for Legacy Software 12 : zypper in -t patch SUSE-SLE-Module-Legacy-12-2020-1221=1" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:syslog-ng"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:syslog-ng-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:syslog-ng-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/06/29"); script_set_attribute(attribute:"patch_publication_date", value:"2020/05/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"0", reference:"syslog-ng-3.6.4-12.8.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"syslog-ng-debuginfo-3.6.4-12.8.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"syslog-ng-debugsource-3.6.4-12.8.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "syslog-ng"); }

References

https://bugzilla.suse.com/show_bug.cgi?id=1169385