SB2019010842 - Permissions, Privileges, and Access Controls in keepalived (Alpine package)

Description

This security bulletin contains information about 1 vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2018-19046)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to software does not check for existing plain files when writing data to a temporary file upon a call to PrintData or PrintStats. A local user can create a file "/tmp/keepalived.data" or "/tmp/keepalived.stats" with read access to it for the attacker and write access for keepalived process, it is possible to gain access to sensitive information, written into these files by the application.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=b0db67a5a9a6e1d6299a426bcbbb56da356da370
• https://git.alpinelinux.org/aports/commit/?id=d5456c04c54ef1071228fe009595f420a2dd7e42