Bug#775681: multiple /tmp file vulnerabilities
Helmut Grohne
helmut at subdivi.de
Sun Jan 18 16:16:19 UTC 2015
Package: kamailio
Version: 4.2.0-1.1
Severity: important
Tags: security
The kamailio package now installs /etc/kamailio/kamailio-basic.cfg which
can be selected via the CFGFILE= setting in /etc/default/kamailio. The
configuration contains:
modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo")
This setting is insecure and may allow local users to elevate privileges
to the kamailio user.
The issue extends to kamailio-advanced.cfg. It seems that this is due to
an incomplete fix of #712083. Looking further, the state of /tmp file
vulnerabilities in kamailio looks worrisome. Most of the results of the
following command (to be executed in the kamailio source) are likely
vulnerable if executed:
grep '/tmp/[a-z0-9_.-]\+\(\$\$\)\?\([" ]\|$\)' -r .
Granted, some of the results are examples, documentation or obsolete.
But quite a few reach the default settings:
* kamcmd defaults to connecting to unixs:/tmp/kamailio_ctl.
* The kamailio build definitely is vulnerable as can be seen in
utils/kamctl/Makefile.
More research clearly is required here. Given these findings, the
security team may want to veto the inclusion of kamailio in a stable
release, which would be very unfortunate as kamailio is quite a unique
piece of software with little competitors in its field.
Helmut
More information about the Pkg-voip-maintainers
mailing list