__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN CoolKey Security and Bug Fix Update [Red Hat RHSA-2007:0631-4] November 7, 2007 22:00 GMT Number S-042 ______________________________________________________________________________ PROBLEM: A flaw was discovered in the way coolkey created a temporary directory. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) DAMAGE: A local attacker could perform a symlink attack and cause arbitrary files to be overwritten. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. A local attacker could perform a symlink ASSESSMENT: attack and cause arbitrary files to be overwritten. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-042.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0631.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-4129 ______________________________________________________________________________ [***** Start Red Hat RHSA-2007:0631-4 *****] Low: coolkey security and bug fix update Advisory: RHSA-2007:0631-4 Type: Security Advisory Severity: Low Issued on: 2007-11-07 Last updated on: 2007-11-07 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) OVAL: com.redhat.rhsa-20070631.xml CVEs (cve.mitre.org): CVE-2007-4129 Details Updated coolkey packages that fix a security issue and various bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. coolkey contains the driver support for the CoolKey and Common Access Card (CAC) Smart Card products. The CAC is used by the U.S. Government. Steve Grubb discovered a flaw in the way coolkey created a temporary directory. A local attacker could perform a symlink attack and cause arbitrary files to be overwritten. (CVE-2007-4129) In addition, the updated packages contain fixes for the following bugs in the CAC Smart Card support: * CAC Smart Cards can have from 1 to 3 certificates. The coolkey driver, however, was not recognizing cards if they had less than 3 certificates. * logging into a CAC Smart Card token with a new application would cause other, already authenticated, applications to lose their login status unless the Smart Card was then removed from the reader and re-inserted. All CAC users should upgrade to these updated packages, which resolve these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: coolkey-devel-1.1.0-5.el5.i386.rpm 420831d4a8b91dfeeed93dca86958264 x86_64: coolkey-devel-1.1.0-5.el5.i386.rpm 420831d4a8b91dfeeed93dca86958264 coolkey-devel-1.1.0-5.el5.x86_64.rpm d94108f3f7c7a5b6a91ef5db9c71ec76 Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: coolkey-1.1.0-5.el5.src.rpm be2b4382d36b1e2d2fa3b7530bbea26b IA-32: coolkey-1.1.0-5.el5.i386.rpm 734a4e94f71f9d8dcadc1b40af734442 coolkey-devel-1.1.0-5.el5.i386.rpm 420831d4a8b91dfeeed93dca86958264 IA-64: coolkey-1.1.0-5.el5.ia64.rpm 03d0815c1d295fcc22338839ccdf5e41 coolkey-devel-1.1.0-5.el5.ia64.rpm 2cb167ef2c9a3fd05dd9a84fe3bcd89b PPC: coolkey-1.1.0-5.el5.ppc.rpm 907006f844462842bbe197a8a1fa3915 coolkey-1.1.0-5.el5.ppc64.rpm 47f4e5c0933af668243c6118217e0a74 coolkey-devel-1.1.0-5.el5.ppc.rpm e7cc7de5db3d0bdf8e2edf99e5cbc05a coolkey-devel-1.1.0-5.el5.ppc64.rpm cec5f0cdc94054f76734417f179ae395 x86_64: coolkey-1.1.0-5.el5.i386.rpm 734a4e94f71f9d8dcadc1b40af734442 coolkey-1.1.0-5.el5.x86_64.rpm a4732c520ce771644185307d2b2dd036 coolkey-devel-1.1.0-5.el5.i386.rpm 420831d4a8b91dfeeed93dca86958264 coolkey-devel-1.1.0-5.el5.x86_64.rpm d94108f3f7c7a5b6a91ef5db9c71ec76 Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: coolkey-1.1.0-5.el5.src.rpm be2b4382d36b1e2d2fa3b7530bbea26b IA-32: coolkey-1.1.0-5.el5.i386.rpm 734a4e94f71f9d8dcadc1b40af734442 x86_64: coolkey-1.1.0-5.el5.i386.rpm 734a4e94f71f9d8dcadc1b40af734442 coolkey-1.1.0-5.el5.x86_64.rpm a4732c520ce771644185307d2b2dd036 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 200295 - Coolkey does not support CAC cards with less than 3 certs 200316 - Open apps loose the CAC card after a C_logout from another app. 251774 - CVE-2007-4129 coolkey file and directory permission flaw References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4129 http://www.redhat.com/security/updates/classification/#low -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2007:0631-4 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-032: CUPS Security Update and Bug Fix Update S-033: AIX lqueryvg Buffer Overflow Vulnerability S-034: SonicWall NetExtender NELaunchCtrl ActiveX Vulnerability S-035: Perdition Format String Error S-036: Mono Vulnerability S-037: Perl-Compatible Regular Expression (PCRE) Vulnerabilities S-038: Perl Security Update S-039: httpd Security Update S-040: Vulnerability in Macrovision SECDRV.SYS Driver on Windows S-041: Wireshark Security Update