Details of VAR-200702-0458

ID

VAR-200702-0458

CVE

CVE-2007-1057

TITLE

Nortel Application Switch Used in products such as Net Direct Vulnerability in arbitrary code execution by other users in the client

Trust: 0.8

sources: JVNDB: JVNDB-2007-003408

DESCRIPTION

The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client. Nortel SSL VPN Net Direct Client is prone to a local privilege-escalation vulnerability. Successfully exploiting this issue allows local users to execute arbitrary code with superuser privileges, facilitating the complete compromise of affected computers. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Nortel Net Direct Client for Linux Privilege Escalation SECUNIA ADVISORY ID: SA24231 VERIFY ADVISORY: http://secunia.com/advisories/24231/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Nortel Net Direct Client for Linux 6.x http://secunia.com/product/13523/ DESCRIPTION: Jon Hart has reported a vulnerability in Net Direct Client for Linux, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused by a combination of insecure permissions and a race condition when downloading and executed client binaries. The vulnerability is reported in versions 6.0.1 through 6.0.3. SOLUTION: Update to version 6.0.5. PROVIDED AND/OR DISCOVERED BY: Jon Hart, spoofed.org. ORIGINAL ADVISORY: Nortel Networks: http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540071 Jon Hart: http://spoofed.org/blog/archive/2007/02/nortel_vpn_unix_client_local_root_compromise.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2007-1057 // JVNDB: JVNDB-2007-003408 // BID: 22632 // VULHUB: VHN-24419 // PACKETSTORM: 54539

AFFECTED PRODUCTS

vendor:	nortel	model:	net direct client	scope:	lte	version:	6.0.4	Trust: 1.0
vendor:	nortel	model:	net direct client	scope:	lt	version:	6.0.5	Trust: 0.8
vendor:	nortel	model:	alteon 2424 application switch	scope:	eq	version:	23.2	Trust: 0.6
vendor:	nortel	model:	networks vpn	scope:	eq	version:	30700	Trust: 0.3
vendor:	nortel	model:	networks vpn	scope:	eq	version:	30500	Trust: 0.3
vendor:	nortel	model:	networks ssl vpn net direct client	scope:	eq	version:	6.0.3	Trust: 0.3
vendor:	nortel	model:	networks ssl vpn net direct client	scope:	eq	version:	6.0.2	Trust: 0.3
vendor:	nortel	model:	networks ssl vpn net direct client	scope:	eq	version:	6.0.1	Trust: 0.3
vendor:	nortel	model:	networks ssl vpn module	scope:	eq	version:	10000	Trust: 0.3
vendor:	nortel	model:	networks application switch	scope:	eq	version:	24240	Trust: 0.3
vendor:	nortel	model:	networks ssl vpn net direct client	scope:	ne	version:	6.0.5	Trust: 0.3

sources: BID: 22632 // JVNDB: JVNDB-2007-003408 // CNNVD: CNNVD-200702-363 // NVD: CVE-2007-1057

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2007-1057
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2007-1057
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200702-363
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-24419
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2007-1057
severity:	MEDIUM
baseScore:	6.9
vectorString:	AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.4
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-24419
severity:	MEDIUM
baseScore:	6.9
vectorString:	AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.4
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-24419 // JVNDB: JVNDB-2007-003408 // CNNVD: CNNVD-200702-363 // NVD: CVE-2007-1057

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2007-1057

THREAT TYPE

local

Trust: 1.0

sources: BID: 22632 // PACKETSTORM: 54539 // CNNVD: CNNVD-200702-363

TYPE

competitive condition

Trust: 0.6

sources: CNNVD: CNNVD-200702-363

CONFIGURATIONS

sources: JVNDB: JVNDB-2007-003408

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-24419

PATCH

title:

Top page

url:

http://www.nortel-canada.com/

Trust: 0.8

sources: JVNDB: JVNDB-2007-003408

EXTERNAL IDS

db:	NVD	id:	CVE-2007-1057	Trust: 2.8
db:	BID	id:	22632	Trust: 2.0
db:	SECUNIA	id:	24231	Trust: 1.8
db:	SECTRACK	id:	1017678	Trust: 1.7
db:	OSVDB	id:	33304	Trust: 1.7
db:	EXPLOIT-DB	id:	3356	Trust: 1.7
db:	VUPEN	id:	ADV-2007-0671	Trust: 1.7
db:	JVNDB	id:	JVNDB-2007-003408	Trust: 0.8
db:	CNNVD	id:	CNNVD-200702-363	Trust: 0.7
db:	MILW0RM	id:	3356	Trust: 0.6
db:	XF	id:	32597	Trust: 0.6
db:	SEEBUG	id:	SSVID-64500	Trust: 0.1
db:	VULHUB	id:	VHN-24419	Trust: 0.1
db:	PACKETSTORM	id:	54539	Trust: 0.1

sources: VULHUB: VHN-24419 // BID: 22632 // JVNDB: JVNDB-2007-003408 // PACKETSTORM: 54539 // CNNVD: CNNVD-200702-363 // NVD: CVE-2007-1057

REFERENCES

url:	http://spoofed.org/blog/archive/2007/02/nortel_vpn_unix_client_local_root_compromise.html	Trust: 2.1
url:	http://www.securityfocus.com/bid/22632	Trust: 1.7
url:	http://www116.nortelnetworks.com/pub/repository/clarify/document/2007/08/021886-01.pdf	Trust: 1.7
url:	http://osvdb.org/33304	Trust: 1.7
url:	http://www.securitytracker.com/id?1017678	Trust: 1.7
url:	http://secunia.com/advisories/24231	Trust: 1.7
url:	http://www130.nortelnetworks.com/go/main.jsp?cscat=bltndetail&documentoid=540071	Trust: 1.7
url:	https://www.exploit-db.com/exploits/3356	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2007/0671	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/32597	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-1057	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-1057	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/32597	Trust: 0.6
url:	http://www.milw0rm.com/exploits/3356	Trust: 0.6
url:	http://www.frsirt.com/english/advisories/2007/0671	Trust: 0.6
url:	http://www130.nortelnetworks.com/go/main.jsp?cscat=bltndetail&documentoid=540071&renditionid=&poid=null	Trust: 0.3
url:	http://www130.nortelnetworks.com/go/main.jsp?cscat=bltndetail&documentoid=540071	Trust: 0.1
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/product/13523/	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1
url:	http://secunia.com/software_inspector/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/advisories/24231/	Trust: 0.1

sources: VULHUB: VHN-24419 // BID: 22632 // JVNDB: JVNDB-2007-003408 // PACKETSTORM: 54539 // CNNVD: CNNVD-200702-363 // NVD: CVE-2007-1057

CREDITS

Jon Hart discovered this vulnerability.

Trust: 0.9

sources: BID: 22632 // CNNVD: CNNVD-200702-363

SOURCES

db:	VULHUB	id:	VHN-24419
db:	BID	id:	22632
db:	JVNDB	id:	JVNDB-2007-003408
db:	PACKETSTORM	id:	54539
db:	CNNVD	id:	CNNVD-200702-363
db:	NVD	id:	CVE-2007-1057

LAST UPDATE DATE

2025-04-10T23:01:21.825000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-24419	date:	2017-10-11T00:00:00
db:	BID	id:	22632	date:	2015-05-12T19:34:00
db:	JVNDB	id:	JVNDB-2007-003408	date:	2012-09-25T00:00:00
db:	CNNVD	id:	CNNVD-200702-363	date:	2007-06-27T00:00:00
db:	NVD	id:	CVE-2007-1057	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-24419	date:	2007-02-21T00:00:00
db:	BID	id:	22632	date:	2007-02-20T00:00:00
db:	JVNDB	id:	JVNDB-2007-003408	date:	2012-09-25T00:00:00
db:	PACKETSTORM	id:	54539	date:	2007-02-23T02:32:16
db:	CNNVD	id:	CNNVD-200702-363	date:	2007-02-21T00:00:00
db:	NVD	id:	CVE-2007-1057	date:	2007-02-21T23:28:00