Munin Insecure Temporary File Creation Vulnerability

Bugtraq ID:	53031
Class:	Design Error
CVE:	CVE-2012-2103
Remote:	No
Local:	Yes
Published:	Apr 14 2012 12:00AM
Updated:	May 19 2014 08:15AM
Credit:	Helmut Grohne
Vulnerable:	Ubuntu Ubuntu Linux 12.04 LTS i386 Ubuntu Ubuntu Linux 12.04 LTS amd64 Ubuntu Ubuntu Linux 11.10 i386 Ubuntu Ubuntu Linux 11.10 amd64 Ubuntu Ubuntu Linux 10.04 sparc Ubuntu Ubuntu Linux 10.04 powerpc Ubuntu Ubuntu Linux 10.04 i386 Ubuntu Ubuntu Linux 10.04 ARM Ubuntu Ubuntu Linux 10.04 amd64 Munin Munin 1.4.5-3 Gentoo Linux
Not Vulnerable:

Munin Insecure Temporary File Creation Vulnerability

Munin is prone to a vulnerability because it creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks.

Successfully mounting a symlink attack may allow the attacker to corrupt sensitive files or gain access to sensitive information. Other attacks may also be possible.

Munin Insecure Temporary File Creation Vulnerability

An attacker can use readily available commands to exploit this issue.

Munin Insecure Temporary File Creation Vulnerability

Solution:
Updates are available. Please see the references for more information.

Munin Insecure Temporary File Creation Vulnerability

References:

• Bug 812889 - munin: Insecure temp file use in qmailscan plug-in (Red Hat Bugzilla)
  
• Munin Homepage (Munin)
  
• qmailscan: predictable /tmp file names (Helmut Grohne)