Static tempfile name allows overwriting of arbitrary files

Vulnerability

In yast2-multipath versions prior to 4.1.1, the application uses a static temporary filename when creating temporary files. This occurs in the multipath configuration tool, which is typically invoked by the YaST system management framework. The vulnerability is present on systems that do not have symlink protection enabled (e.g., /tmp without the sticky bit or without kernel protections like protected_symlinks). Affected versions include all releases before 4.1.1 [1].

Exploitation

An attacker with local access to the system can exploit this by creating a symbolic link with the same static temporary filename before the vulnerable process runs. No special privileges are required beyond the ability to create files in the temporary directory (typically /tmp). The attacker must time the creation of the symlink to precede the vulnerable process's use of the temporary file, but since the filename is static, a race condition is not necessary; the attacker can pre-create the symlink. The vulnerable process then writes to the symlink, overwriting the target file [1].

Impact

Successful exploitation allows a local attacker to overwrite arbitrary files on the system, potentially leading to privilege escalation (e.g., overwriting configuration files or binaries) or denial of service. The attacker gains the ability to write to any file that the user running yast2-multipath can write to, which typically includes system files if run as root [1].

Mitigation

The vulnerability is fixed in yast2-multipath version 4.1.1, released on or before 2019-03-15. Users should update to this version or later. For systems that cannot be immediately updated, enabling symlink protection mechanisms (e.g., setting the sticky bit on /tmp, enabling protected_symlinks kernel parameter) can mitigate the risk. No workaround is provided by the vendor beyond upgrading [1].