Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-4190 — Link Following in Openswan

CWE-59 — Link Following5 documents5 sources

Severity

4.4MEDIUMNVD

EPSS

0.2%

top 61.36%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Openswan Xelerance Openswan

Timeline

PublishedSep 24

Latest updateMay 2

Description

The IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x through 2.6.16, allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files. NOTE: in many distributions and the upstream version, this tool has been disabled.

CVSS vector

AV:L/AC:M/C:P/I:P/A:PExploitability: 3.4 | Impact: 6.4

Affected Packages2 packages

▶NVDopenswan/openswan13 versions+12

▶NVDxelerance/openswan18 versions+17

Patches

Patch: bugs.debian.org ↗Patch: www.debian.org ↗Patch: www.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-pqmw-hq69-w92w: The IPSEC livetest tool in Openswan 2↗2022-05-02

▶

💥Exploits & PoCs

Exploit-DB

Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Privilege Escalation↗2009-07-13

▶

📋Vendor Advisories

Red Hat

openswan: Insecure auxiliary /tmp file usage (symlink attack possible)↗2008-08-24

▶

💬Community

Bugzilla

CVE-2008-4190 openswan: Insecure auxiliary /tmp file usage (symlink attack possible)↗2008-08-28

▶