Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title GNU Wget creates arbitrary symbolic links during recursive FTP download
Informations
Name VU#685996 First vendor Publication 2014-10-28
Vendor VU-CERT Last vendor Modification 2014-10-31
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#685996

GNU Wget creates arbitrary symbolic links during recursive FTP download

Original Release date: 28 Oct 2014 | Last revised: 31 Oct 2014

Overview

GNU wget allows arbitrary filesystem access when creating symbolic links during a recursive FTP download. This allows an attacker to overwrite files with the permissions of the user running wget.

Description

CWE-59: CWE-59: Improper Link Resolution Before File Access ('Link Following')

Wget is a common Unix utility to retrieve remote files. When wget is running in recursive mode (the -m or -r switch) with a FTP server as the destination, it is vulnerable to a link following attack. A malicious FTP server, when configured to provide symlinks in the directory listing, can force the client wget utility to enter into the the specified local symlink, navigating the local file system for the attacker. Wget will then download and create or overwrite existing files within the local symlink, setting permissions to those of the remote files.

See the Rapid7 advisory for more details.

Impact

A remote unauthenticated malicious FTP server, connected to the victim via wget, can create and overwrite arbitrary files in the context of the user running wget.

Solution

Apply an Update

This vulnerability is addressed in wget 1.16. Updates should also be available in various package formats for downstream Linux distributions. Check your distribution's package management system for updates.

Enable wget symlink traversal

In wget versions 1.15 and earlier, configure retr-symlinks=on in /etc/wgetrc or ~/.wgetrc or specify --retr-symlinks as a command line option to wget.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
GNU wgetAffected-28 Oct 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base5.8AV:N/AC:M/Au:N/C:N/I:P/A:P
Temporal4.8E:F/RL:OF/RC:C
Environmental3.6CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7
  • http://cwe.mitre.org/data/definitions/59.html
  • https://bugzilla.redhat.com/show_bug.cgi?id=1139181
  • https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
  • http://www.gnu.org/software/wget/manual/wget.html#index-symbolic-links_002c-retrieving
  • http://gnu.huihoo.org/wget-1.8.1/html_node/wget_10.html
  • http://comments.gmane.org/gmane.comp.web.wget.general/10367

Credit

Thanks to HD Moore and John Hart of Rapid7, Inc. for reporting this vulnerability.

This document was written by Chris King.

Other Information

  • CVE IDs:CVE-2014-4877
  • Date Public:27 Oct 2014
  • Date First Published:28 Oct 2014
  • Date Last Updated:31 Oct 2014
  • Document Revision:27

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/685996

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:26933
 
Oval ID: oval:org.mitre.oval:def:26933
Title: ELSA-2014-1764 -- wget security update (moderate)
Description: [1.14-10.1] - Fix CVE-2014-4877 wget: FTP symlink arbitrary filesystem access (#1156135)
Family: unix Class: patch
Reference(s): ELSA-2014-1764
CVE-2014-4877
Version: 3
Platform(s): Oracle Linux 6
Oracle Linux 7
Product(s): wget
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27511
 
Oval ID: oval:org.mitre.oval:def:27511
Title: DSA-3062-1 -- wget security update
Description: HD Moore of Rapid7 discovered a symlink attack in Wget, a command-line utility to retrieve files via HTTP, HTTPS, and FTP. The vulnerability allows to create arbitrary files on the user's system when Wget runs in recursive mode against a malicious FTP server. Arbitrary file creation may override content of user's files or permit remote code execution with the user privilege.
Family: unix Class: patch
Reference(s): DSA-3062-1
CVE-2014-4877
Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
Product(s): wget
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28220
 
Oval ID: oval:org.mitre.oval:def:28220
Title: USN-2393-1 -- Wget vulnerability
Description: HD Moore discovered that Wget contained a path traversal vulnerability when downloading symlinks using FTP. A malicious remote FTP server or a man in the middle could use this issue to cause Wget to overwrite arbitrary files, possibly leading to arbitrary code execution.
Family: unix Class: patch
Reference(s): USN-2393-1
CVE-2014-4877
Version: 5
Platform(s): Ubuntu 14.10
Ubuntu 14.04
Ubuntu 12.04
Ubuntu 10.04
Product(s): wget
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28354
 
Oval ID: oval:org.mitre.oval:def:28354
Title: RHSA-2014:1764 -- wget security update (Moderate)
Description: The wget package provides the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution. (CVE-2014-4877) Note: This update changes the default value of the --retr-symlinks option. The file symbolic links are now traversed by default and pointed-to files are retrieved rather than creating a symbolic link locally. Red Hat would like to thank the GNU Wget project for reporting this issue. Upstream acknowledges HD Moore of Rapid7, Inc as the original reporter. All users of wget are advised to upgrade to this updated package, which contains a backported patch to correct this issue.
Family: unix Class: patch
Reference(s): RHSA-2014:1764
CESA-2014:1764-CentOS 7
CESA-2014:1764-CentOS 6
CVE-2014-4877
Version: 3
Platform(s): Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
CentOS Linux 7
CentOS Linux 6
Product(s): wget
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28417
 
Oval ID: oval:org.mitre.oval:def:28417
Title: SUSE-SU-2014:1366-1 -- Security update for wget (important)
Description: wget has been updated to fix one security issue and two non-security issues. This security issue has been fixed: * FTP symlink arbitrary filesystem access (CVE-2014-4877). These non-security issues have been fixed: * Fix displaying of download time (bnc#901276). * Fix 0 size FTP downloads after failure (bnc#885069). Security Issues: * CVE-2014-4877 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1366-1
CVE-2014-4877
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): wget
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28434
 
Oval ID: oval:org.mitre.oval:def:28434
Title: SUSE-SU-2014:1366-2 -- Security update for wget (important)
Description: wget was updated to fix one security issue and two non-security issues: * FTP symbolic link arbitrary filesystem access (CVE-2014-4877). * Fix displaying of download time (bnc#901276). * Fix 0 size FTP downloads after failure (bnc#885069). Security Issues: * CVE-2014-4877 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1366-2
CVE-2014-4877
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
Product(s): wget
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28443
 
Oval ID: oval:org.mitre.oval:def:28443
Title: SUSE-SU-2014:1464-1 -- Security update for wget (moderate)
Description: wget was updated to fix one security issue. This security issue was fixed: - FTP symlink arbitrary filesystem access (CVE-2014-4877).
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1464-1
CVE-2014-4877
Version: 3
Platform(s): SUSE Linux Enterprise Desktop 12
Product(s): wget
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28507
 
Oval ID: oval:org.mitre.oval:def:28507
Title: SUSE-SU-2014:1408-1 -- Security update for wget (important)
Description: wget was updated to fix one security issue: * FTP symbolic link arbitrary filesystem access (CVE-2014-4877). Security Issues: * CVE-2014-4877 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1408-1
CVE-2014-4877
Version: 3
Platform(s): SUSE Linux Enterprise Server 10
Product(s): wget
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 25

Snort® IPS/IDS

Date Description
2014-12-04 WGet symlink arbitrary file write attempt
RuleID : 32375 - Revision : 3 - Type : BROWSER-OTHER

Nessus® Vulnerability Scanner

Date Description
2015-05-27 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-1366-2.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-1464-1.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-1408-1.nasl - Type : ACT_GATHER_INFO
2015-03-30 Name : The remote Mandriva Linux host is missing a security update.
File : mandriva_MDVSA-2015-121.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-82.nasl - Type : ACT_GATHER_INFO
2014-12-07 Name : The remote Fedora host is missing a security update.
File : fedora_2014-15347.nasl - Type : ACT_GATHER_INFO
2014-12-04 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1955.nasl - Type : ACT_GATHER_INFO
2014-12-02 Name : The remote Fedora host is missing a security update.
File : fedora_2014-15405.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing a security update.
File : oraclevm_OVMSA-2014-0036.nasl - Type : ACT_GATHER_INFO
2014-11-24 Name : The remote Fedora host is missing a security update.
File : fedora_2014-15385.nasl - Type : ACT_GATHER_INFO
2014-11-17 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201411-05.nasl - Type : ACT_GATHER_INFO
2014-11-11 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-637.nasl - Type : ACT_GATHER_INFO
2014-11-10 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_ee7b4f9d66c811e49ae1e8e0b722a85e.nasl - Type : ACT_GATHER_INFO
2014-11-06 Name : The remote SuSE 11 host is missing a security update.
File : suse_11_wget-141105.nasl - Type : ACT_GATHER_INFO
2014-11-06 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-442.nasl - Type : ACT_GATHER_INFO
2014-11-04 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20141030_wget_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-11-04 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3062.nasl - Type : ACT_GATHER_INFO
2014-10-31 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2393-1.nasl - Type : ACT_GATHER_INFO
2014-10-31 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1764.nasl - Type : ACT_GATHER_INFO
2014-10-31 Name : The remote Oracle Linux host is missing a security update.
File : oraclelinux_ELSA-2014-1764.nasl - Type : ACT_GATHER_INFO
2014-10-31 Name : The remote CentOS host is missing a security update.
File : centos_RHSA-2014-1764.nasl - Type : ACT_GATHER_INFO
2014-10-30 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2014-302-01.nasl - Type : ACT_GATHER_INFO
2014-10-30 Name : The remote Mandriva Linux host is missing a security update.
File : mandriva_MDVSA-2014-212.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
Date Informations
2014-11-11 13:26:00
  • Multiple Updates
2014-10-31 21:20:53
  • Multiple Updates
2014-10-30 00:21:28
  • Multiple Updates
2014-10-29 21:28:11
  • Multiple Updates
2014-10-29 21:22:05
  • Multiple Updates
2014-10-29 17:27:08
  • Multiple Updates
2014-10-29 00:21:23
  • Multiple Updates
2014-10-28 21:22:04
  • First insertion