search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

mgetty creates temporary files insecurely

Vulnerability Note VU#396272

Original Release Date: 2001-10-01 | Last Revised: 2001-11-08

Overview

mgetty, a replacement for getty designed to support modem and fax use, creates files of a predictable name in a world-writable directory without checking for the prior existence or ownership of the file. Using a symbolic link attack, an intruder might cause the overwrite of arbitrary files on the system, but the risk of elevated privileges is low.

Description

mgetty uses the faxrunq service to process faxes. This involves use of the world-writable /var/spool/fax/outgoing/ directory to store temporary files. These temporary files are created without checking for prior existence or ownership of the files.

Impact

By creating a symbolic link named '.last_run' and pointing towards any existing file, an attacker can cause mgetty to overwrite the file. Since the attacker cannot control the content of the overwritten file, the risk of exploiting this for elevated privileges is low.

Solution

Apply vendor patches; see the Systems Affected section below.

Disable the faxrunq service.

Vendor Information

396272
 
Expand all

Caldera Affected

Notified:  January 10, 2001 Updated: September 13, 2001

Status

Affected

Vendor Statement

http://www.caldera.com/support/security/advisories/CSSA-2001-002.0.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Affected

Notified:  March 06, 2001 Updated: September 13, 2001

Status

Affected

Vendor Statement

http://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00000.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Affected

Notified:  September 20, 2000 Updated: September 13, 2001

Status

Affected

Vendor Statement

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:71.mgetty.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Immunix Affected

Notified:  January 10, 2001 Updated: September 13, 2001

Status

Affected

Vendor Statement

http://www.linuxsecurity.com/advisories/other_advisory-1034.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Affected

Notified:  January 10, 2001 Updated: September 13, 2001

Status

Affected

Vendor Statement

http://www.linux-mandrake.com/en/updates/2001/MDKSA-2001-009.php3?dis=6.1

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RedHat Affected

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Affected

Vendor Statement

http://www.redhat.com/support/errata/RHSA-2001-050.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Not Affected

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Not Affected

Vendor Statement

Mac OS X does not contain mgetty, and is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Not Affected

Notified:  September 18, 2001 Updated: September 27, 2001

Status

Not Affected

Vendor Statement

Cray, Inc. does not provide mgetty with its operating system software so we are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

HP Not Affected

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Not Affected

Vendor Statement

HP-UX is not effected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Not Affected

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Not Affected

Vendor Statement

IBM's AIX operating system does not include mgetty and the faxrunq service, so AIX is not vulnerable to the exploit described.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD Not Affected

Notified:  September 18, 2001 Updated: November 08, 2001

Status

Not Affected

Vendor Statement

NetBSD does not ship with mgetty as part of the base distribution, but it is available as an optional third-party package. We did distribute a package with a vulnerable version (less that 1.1.22). We do not intend to release a specific vulnerability notice, but we do have other means of notifying users of our third party packages about vulnerabilities in said packages (the "audit-packages" system).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD Not Affected

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Not Affected

Vendor Statement

OpenBSD does not use mgetty.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO Not Affected

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Not Affected

Vendor Statement

Caldera's UNIX products (OpenServer, UnixWare, Open Unix) do not ship mgetty.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI Unknown

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Unknown

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

DEC Unknown

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General Unknown

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Unknown

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Unknown

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NeXT Unknown

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Unknown

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent Unknown

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Unknown

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Unknown

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys Unknown

Notified:  September 18, 2001 Updated: September 20, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 25 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was first identified by Greg Kroah-Hartman of Immunix.

This document was last changed by Tim Shimeall.

Other Information

CVE IDs: CVE-2001-0141
Severity Metric: 1.13
Date Public: 2001-01-10
Date First Published: 2001-10-01
Date Last Updated: 2001-11-08 18:10 UTC
Document Revision: 17

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis