Lynis Security Notice: 1.5.4 and older
This week a vulnerability was reported in versions up to Lynis 1.5.4. With Lynis
being a security audit tool and focused on hardening Linux and Unix based systems, we regret any (security) bug being discovered. Since it is open source software, we like to be open about the issue, to help you understanding it and take the right precautions.
Description:
The temporary files created in the tests_webservers section are too predictable.
This may resulting in a possible race condition, where a local user creates the
temporary file and symlinks it to an existing system file. Lynis then uses this
file to store temporary data. As a result data is overwritten in the (linked) file.
Advice:
You are advised to upgrade Lynis to at least version 1.5.5, which has adjustments
to counter the vulnerability.
Workarounds:
Remove the temporary file creation in tests_webservers and disable the related tests using the temporary files.
Risks:
The chance for exploitation is considered low. The following conditions have to apply:
- Lynis has to be executed at that moment (usually once a day, or less).
- Access to the system is needed to the temporary file (to create file and guess the right name)
- Perfect timing of creating the symbolic link, as the window of opportunity is very small.
Related information:
Unfortunately this bug was not reported according common rules of responsible disclosure.
This resulted in two different CVE entries where created.
CVE-2014-3982: AIX
CVE-2014-3986: Linux and others (except AIX)
We are sorry for any inconvenience and will use this blog post as the main article to provide any further updates.
