Details of VAR-200109-0013

ID

VAR-200109-0013

CVE

CVE-2001-1102

TITLE

Check Point Firewall-1 Policy Compilation Symbolic Linkhole

Trust: 0.6

sources: CNNVD: CNNVD-200109-022

DESCRIPTION

Check Point FireWall-1 3.0b through 4.1 for Solaris allows local users to overwrite arbitrary files via a symlink attack on temporary policy files that end in a .cpp extension, which are set world-writable. Check Point Firewall-1 is a commercial firewall implementation designed for small to enterprise sized networks. A problem with Firewall-1 has been discovered that makes it possible for a local user to change the permissions of root-owned files to world-writable, and potentially gain elevated privileges. The problem is in the creation of predictable /tmp files. Upon editing firewall rules and committing them, a file is created in /tmp using the name of the policy as a filename, and .cpp as an extension. It's possible for a local user to create symbolic links to root-owned files, which will result in the files becoming world-writable, and potentially gain local root access. The file's attributes are set to rw-rw-rw- (666), which allows anyone to modify the file. Since the file is not checked whether it is a link file when the file is created, an attacker can create a file in any directory through a link attack. If an attacker has permission to compile firewall policies and has access to the system where the firewall resides, this vulnerability could be exploited to elevate privileges

Trust: 1.26

sources: NVD: CVE-2001-1102 // BID: 3300 // VULHUB: VHN-3907

AFFECTED PRODUCTS

vendor:	checkpoint	model:	firewall-1	scope:	eq	version:	4.0	Trust: 1.6
vendor:	checkpoint	model:	firewall-1	scope:	eq	version:	3.0	Trust: 1.6
vendor:	checkpoint	model:	firewall-1	scope:	eq	version:	4.1	Trust: 1.6
vendor:	check	model:	point software firewall-1 sp1	scope:	eq	version:	4.1	Trust: 0.3
vendor:	check	model:	point software firewall-1	scope:	eq	version:	4.1	Trust: 0.3
vendor:	check	model:	point software firewall-1	scope:	eq	version:	4.0	Trust: 0.3
vendor:	check	model:	point software firewall-1	scope:	eq	version:	3.0	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp4	scope:	ne	version:	4.1	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp3	scope:	ne	version:	4.1	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp2	scope:	ne	version:	4.1	Trust: 0.3

sources: BID: 3300 // CNNVD: CNNVD-200109-022 // NVD: CVE-2001-1102

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2001-1102
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-200109-022
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-3907
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2001-1102
severity:	MEDIUM
baseScore:	6.2
vectorString:	AV:L/AC:H/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	1.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-3907
severity:	MEDIUM
baseScore:	6.2
vectorString:	AV:L/AC:H/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	1.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-3907 // CNNVD: CNNVD-200109-022 // NVD: CVE-2001-1102

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2001-1102

THREAT TYPE

local

Trust: 0.9

sources: BID: 3300 // CNNVD: CNNVD-200109-022

TYPE

competitive condition

Trust: 0.6

sources: CNNVD: CNNVD-200109-022

EXTERNAL IDS

db:	NVD	id:	CVE-2001-1102	Trust: 2.0
db:	BID	id:	3300	Trust: 2.0
db:	CNNVD	id:	CNNVD-200109-022	Trust: 0.7
db:	BUGTRAQ	id:	20010908 BUG IN COMPILE PORTION FOR OLDER VERSIONS OF CHECKPOINT FIREWALLS	Trust: 0.6
db:	XF	id:	7094	Trust: 0.6
db:	XF	id:	1	Trust: 0.6
db:	VULHUB	id:	VHN-3907	Trust: 0.1

sources: VULHUB: VHN-3907 // BID: 3300 // CNNVD: CNNVD-200109-022 // NVD: CVE-2001-1102

REFERENCES

url:	http://www.securityfocus.com/bid/3300	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/212824	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/7094	Trust: 1.1
url:	http://xforce.iss.net/static/7094.php	Trust: 0.6

sources: VULHUB: VHN-3907 // CNNVD: CNNVD-200109-022 // NVD: CVE-2001-1102

CREDITS

This vulnerability was announced by Alan Darien <adarien@securetrendz.com> via Bugtraq on September 8, 2001.

Trust: 0.3

sources: BID: 3300

SOURCES

db:	VULHUB	id:	VHN-3907
db:	BID	id:	3300
db:	CNNVD	id:	CNNVD-200109-022
db:	NVD	id:	CVE-2001-1102

LAST UPDATE DATE

2024-08-14T12:38:19.458000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-3907	date:	2017-12-19T00:00:00
db:	BID	id:	3300	date:	2009-07-11T07:56:00
db:	CNNVD	id:	CNNVD-200109-022	date:	2006-01-04T00:00:00
db:	NVD	id:	CVE-2001-1102	date:	2017-12-19T02:29:33.190

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-3907	date:	2001-09-08T00:00:00
db:	BID	id:	3300	date:	2001-09-08T00:00:00
db:	CNNVD	id:	CNNVD-200109-022	date:	2001-09-08T00:00:00
db:	NVD	id:	CVE-2001-1102	date:	2001-09-08T04:00:00