CVE-2011-3351 in openvas-scanner
Summary
by MITRE
openvas-scanner before 2011-09-11 creates a temporary file insecurely when generating OVAL system characteristics document with the ovaldi integrated tool enabled. A local attacker could use this flaw to conduct symlink attacks to overwrite arbitrary files on the system.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/27/2024
The vulnerability identified as CVE-2011-3351 affects the openvas-scanner software prior to version 2011-09-11, specifically within its handling of temporary file creation during the generation of OVAL system characteristics documents. This issue arises when the ovaldi integrated tool is enabled, creating a security weakness that can be exploited by local attackers. The flaw represents a classic insecure temporary file creation vulnerability that has significant implications for system integrity and security.
The technical implementation of this vulnerability stems from improper handling of temporary file creation processes within the openvas-scanner component. When the system generates OVAL system characteristics documents using the ovaldi tool, it creates temporary files without sufficient security measures to prevent symbolic link attacks. This insecure practice allows an attacker to manipulate the temporary file creation process by establishing symbolic links that point to sensitive system files, thereby enabling the attacker to overwrite arbitrary files with malicious content. The vulnerability is categorized under CWE-377 as insecure temporary file creation and aligns with CWE-378 which addresses creation of temporary files with insecure permissions.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it provides a mechanism for local attackers to potentially compromise system integrity and confidentiality. An attacker with local access can leverage this weakness to overwrite critical system files, configuration files, or even binaries, potentially leading to persistent access or system compromise. The attack vector requires local system access but does not necessitate elevated privileges beyond what is already available to the user, making it particularly concerning for environments where local access is not strictly controlled. This vulnerability can be exploited to overwrite files in the context of the openvas-scanner process, potentially allowing for privilege escalation or data corruption.
Mitigation strategies for CVE-2011-3351 should focus on updating to the patched version of openvas-scanner released after September 11, 2011, which addresses the insecure temporary file creation issue. Organizations should also implement proper file permission controls and ensure that the ovaldi tool is disabled when not required for operations. Security monitoring should include detection of suspicious temporary file creation patterns and symlink usage within the scanner's operational context. The ATT&CK framework categorizes this vulnerability under T1059 for command and scripting interpreter and T1548 for abuse of privileges, as it allows for privilege escalation through file system manipulation. System administrators should also consider implementing additional controls such as mandatory access controls and file integrity monitoring to detect unauthorized file modifications that could result from this vulnerability. Regular security assessments and vulnerability scanning should include verification that temporary file handling mechanisms are properly secured to prevent similar issues from arising in other software components.