CVE-2019-18932

21.01.2020, 18:15

log.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows local privilege escalation. By default, it uses a fixed temporary directory /tmp/sarg. As the root user, sarg creates this directory or reuses an existing one in an insecure manner. An attacker can pre-create the directory, and place symlinks in it (after winning a /tmp/sarg/denied.int_unsort race condition). The outcome will be corrupted or newly created files in privileged file system locations.

Link Following

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7 HIGH	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 23%

Vendor	Product	Version
squid_analysis_report_generator_project	squid_analysis_report_generator	𝑥 ≤ 2.3.11
opensuse	backports_sle	15.0:sp1
opensuse	leap	15.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

sarg

bookworm	2.4.0-3 fixed
sid	2.4.0-4 fixed
trixie	2.4.0-4 fixed

Ubuntu Releases

Ubuntu Product

Codename

sarg

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	not-affected
jammy	not-affected
impish	not-affected
hirsute	not-affected
groovy	not-affected
focal	needs-triage
eoan	ignored
disco	ignored
bionic	needs-triage
xenial	needs-triage
trusty	dne

Common Weakness Enumeration

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00051.html

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00063.html

http://www.openwall.com/lists/oss-security/2020/01/20/6

http://www.openwall.com/lists/oss-security/2020/01/27/1

https://bugzilla.suse.com/show_bug.cgi?id=1150554

https://seclists.org/oss-sec/2020/q1/23

https://security.gentoo.org/glsa/202007-32

https://sourceforge.net/projects/sarg/