{"api_version":"1","generated_at":"2026-04-23T10:17:56+00:00","cve":"CVE-2007-1057","urls":{"html":"https://cve.report/CVE-2007-1057","api":"https://cve.report/api/cve/CVE-2007-1057.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2007-1057","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2007-1057"},"summary":{"title":"CVE-2007-1057","description":"The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client.","state":"PUBLISHED","assigner":"mitre","published_at":"2007-02-21 23:28:00","updated_at":"2026-04-23 00:35:47"},"problem_types":["NVD-CWE-Other","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"6.9","severity":"","vector":"AV:L/AC:M/Au:N/C:C/I:C/A:C","data":{"version":"2.0","vectorString":"AV:L/AC:M/Au:N/C:C/I:C/A:C","baseScore":6.9,"accessVector":"LOCAL","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"}}],"references":[{"url":"http://www.securityfocus.com/bid/22632","name":"http://www.securityfocus.com/bid/22632","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Nortel SSL VPN Net Direct Client Local Privilege Escalation Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://spoofed.org/blog/archive/2007/02/nortel_vpn_unix_client_local_root_compromise.html","name":"http://spoofed.org/blog/archive/2007/02/nortel_vpn_unix_client_local_root_compromise.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Nortel VPN -- UNIX Client local root compromise (spoofed.org)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.vupen.com/english/advisories/2007/0671","name":"http://www.vupen.com/english/advisories/2007/0671","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Webmail : Solution de messagerie professionnelle - OVHcloud- OVH","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021886-01.pdf","name":"http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021886-01.pdf","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Nortel: Technical Support: Access Denied","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540071","name":"http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540071","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"-1","archivestatus":"404"},{"url":"http://secunia.com/advisories/24231","name":"http://secunia.com/advisories/24231","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"Nortel Net Direct Client for Linux Privilege Escalation - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/3356","name":"https://www.exploit-db.com/exploits/3356","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Nortel SSL VPN Linux Client 6.0.3 - Local Privilege Escalation - Linux local Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://osvdb.org/33304","name":"http://osvdb.org/33304","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"-1","archivestatus":"0"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/32597","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/32597","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id?1017678","name":"http://www.securitytracker.com/id?1017678","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"SecurityTracker.com Archives - Nortel Net Direct SSL VPN Client Race Condition Lets Local Users Gain Root Privileges","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2007-1057","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2007-1057","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2007","cve_id":"1057","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"nortel","cpe5":"alteon_2424_application_switch","cpe6":"23.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2007","cve_id":"1057","vulnerable":"1","versionEndIncluding":"6.0.4","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nortel","cpe5":"net_direct_client","cpe6":"*","cpe7":"*","cpe8":"linux","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2007","cve_id":"1057","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"nortel","cpe5":"ssl_vpn_module_1000","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2007","cve_id":"1057","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"nortel","cpe5":"vpn_gateway_3070","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-07T12:43:22.572Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"ADV-2007-0671","tags":["vdb-entry","x_refsource_VUPEN","x_transferred"],"url":"http://www.vupen.com/english/advisories/2007/0671"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021886-01.pdf"},{"name":"3356","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"https://www.exploit-db.com/exploits/3356"},{"name":"netdirect-permissions-privilege-escalation(32597)","tags":["vdb-entry","x_refsource_XF","x_transferred"],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/32597"},{"name":"33304","tags":["vdb-entry","x_refsource_OSVDB","x_transferred"],"url":"http://osvdb.org/33304"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540071"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://spoofed.org/blog/archive/2007/02/nortel_vpn_unix_client_local_root_compromise.html"},{"name":"22632","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/22632"},{"name":"24231","tags":["third-party-advisory","x_refsource_SECUNIA","x_transferred"],"url":"http://secunia.com/advisories/24231"},{"name":"1017678","tags":["vdb-entry","x_refsource_SECTRACK","x_transferred"],"url":"http://www.securitytracker.com/id?1017678"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2007-02-20T00:00:00.000Z","descriptions":[{"lang":"en","value":"The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-10-10T00:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"name":"ADV-2007-0671","tags":["vdb-entry","x_refsource_VUPEN"],"url":"http://www.vupen.com/english/advisories/2007/0671"},{"tags":["x_refsource_CONFIRM"],"url":"http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021886-01.pdf"},{"name":"3356","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"https://www.exploit-db.com/exploits/3356"},{"name":"netdirect-permissions-privilege-escalation(32597)","tags":["vdb-entry","x_refsource_XF"],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/32597"},{"name":"33304","tags":["vdb-entry","x_refsource_OSVDB"],"url":"http://osvdb.org/33304"},{"tags":["x_refsource_CONFIRM"],"url":"http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540071"},{"tags":["x_refsource_MISC"],"url":"http://spoofed.org/blog/archive/2007/02/nortel_vpn_unix_client_local_root_compromise.html"},{"name":"22632","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/22632"},{"name":"24231","tags":["third-party-advisory","x_refsource_SECUNIA"],"url":"http://secunia.com/advisories/24231"},{"name":"1017678","tags":["vdb-entry","x_refsource_SECTRACK"],"url":"http://www.securitytracker.com/id?1017678"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2007-1057","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"ADV-2007-0671","refsource":"VUPEN","url":"http://www.vupen.com/english/advisories/2007/0671"},{"name":"http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021886-01.pdf","refsource":"CONFIRM","url":"http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021886-01.pdf"},{"name":"3356","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/3356"},{"name":"netdirect-permissions-privilege-escalation(32597)","refsource":"XF","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/32597"},{"name":"33304","refsource":"OSVDB","url":"http://osvdb.org/33304"},{"name":"http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540071","refsource":"CONFIRM","url":"http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540071"},{"name":"http://spoofed.org/blog/archive/2007/02/nortel_vpn_unix_client_local_root_compromise.html","refsource":"MISC","url":"http://spoofed.org/blog/archive/2007/02/nortel_vpn_unix_client_local_root_compromise.html"},{"name":"22632","refsource":"BID","url":"http://www.securityfocus.com/bid/22632"},{"name":"24231","refsource":"SECUNIA","url":"http://secunia.com/advisories/24231"},{"name":"1017678","refsource":"SECTRACK","url":"http://www.securitytracker.com/id?1017678"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2007-1057","datePublished":"2007-02-21T23:00:00.000Z","dateReserved":"2007-02-21T00:00:00.000Z","dateUpdated":"2024-08-07T12:43:22.572Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2007-02-21 23:28:00","lastModifiedDate":"2026-04-23 00:35:47","problem_types":["NVD-CWE-Other","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:L/AC:M/Au:N/C:C/I:C/A:C","baseScore":6.9,"accessVector":"LOCAL","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"MEDIUM","exploitabilityScore":3.4,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":true,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:nortel:alteon_2424_application_switch:23.2:*:*:*:*:*:*:*","matchCriteriaId":"1C090AFB-0E2A-4740-8CA3-23B56891392F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:nortel:ssl_vpn_module_1000:*:*:*:*:*:*:*:*","matchCriteriaId":"E6954FC4-A84F-4387-A952-D92C0977100F"},{"vulnerable":false,"criteria":"cpe:2.3:h:nortel:vpn_gateway_3070:*:*:*:*:*:*:*:*","matchCriteriaId":"C489779E-CBD7-4EAB-BAB4-2691246E0D27"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:nortel:net_direct_client:*:*:linux:*:*:*:*:*","versionEndIncluding":"6.0.4","matchCriteriaId":"DD6FFA75-05EA-4ECA-8102-0525191CA91C"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2007","CveId":"1057","Ordinal":"1","Title":"CVE-2007-1057","CVE":"CVE-2007-1057","Year":"2007"},"notes":[{"CveYear":"2007","CveId":"1057","Ordinal":"1","NoteData":"The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client.","Type":"Description","Title":"CVE-2007-1057"},{"CveYear":"2007","CveId":"1057","Ordinal":"2","NoteData":"2007-02-21","Type":"Other","Title":"Published"},{"CveYear":"2007","CveId":"1057","Ordinal":"3","NoteData":"2017-10-09","Type":"Other","Title":"Modified"}]}}}