OpenVAS contains a flaw that may allow a malicious local user to overwrite arbitrary files on the system. The issue is due to the program creating temporary files insecurely. It is possible for an attacker to use a symlink attack to cause the program to unexpectedly write to, or overwrite an attacker specified file.

OpenVAS contains a flaw that may allow a local attacker to overwrite arbitrary files. The issue is due to the temp_file_name() function in openvas-scanner/openvassd/utils.c creating a temporary file in an insecure manner. A significant amount of time occurs between the creation and use of this file by the ntp_ll_recv_file() function in ntp_11.c. During this period, an attacker can replace the temporary file with a symlink, eventually resulting in the targeted file to be overwritten. This can be used to delete the content of files and possibly escalate privileges by overwriting configuration files controlling security settings.

This was resoled with OpenVAS CR 47 (http://www.openvas.org/openvas-cr-47.html). Upgrade to version 3.0.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Mail List Post: http://lists.wald.intevation.org/pipermail/openvas-devel/2009-October/001863.html
  http://lists.wald.intevation.org/pipermail/openvas-devel/2009-October/001869.html
• Vendor URL: http://openvas.org/

• Tim Brown - OpenVAS

We currently have no CVSS2 data on this vulnerability. Feel free to suggest it.