CVE-2011-3618 – CVE-2011-3618 is a symlink attack vulnerability... (How to Fix)

Q: What is the severity of CVE-2011-3618?

CVE-2011-3618 has a CVSS score of 7.8 (HIGH). CVE-2011-3618 is a symlink attack vulnerability in the atop system monitoring tool due to insecure temporary file handling. Attackers can exploit this to overwrite arbitrary files on the system, potentially leading to privilege escalation or data corruption. Systems running vulnerable versions of atop with the tool executed by privileged users are affected.

📋 TL;DR

CVE-2011-3618 is a symlink attack vulnerability in the atop system monitoring tool due to insecure temporary file handling. Attackers can exploit this to overwrite arbitrary files on the system, potentially leading to privilege escalation or data corruption. Systems running vulnerable versions of atop with the tool executed by privileged users are affected.

💻 Affected Systems

Products:

atop

Versions: Versions prior to 1.27-7 (RHEL/CentOS), 1.26-2 (Debian/Ubuntu)

Operating Systems: Linux distributions including RHEL, CentOS, Debian, Ubuntu

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when atop is executed by privileged users (typically root via cron jobs or manual execution).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privilege escalation to root, complete system compromise, or persistent backdoor installation through arbitrary file overwrites.

🟠

Likely Case

Local privilege escalation allowing attackers to gain elevated privileges on the system.

🟢

If Mitigated

Limited impact with proper file permissions and SELinux/apparmor restrictions in place.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access.

🏢 Internal Only: MEDIUM - Internal attackers with shell access could exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and knowledge of temporary file creation patterns. Symlink attacks are well-understood exploitation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: atop-1.27-7 for RHEL/CentOS, atop-1.26-2 for Debian/Ubuntu

Vendor Advisory: https://access.redhat.com/security/cve/cve-2011-3618

Restart Required: No

Instructions:

1. Update via package manager: 'yum update atop' (RHEL/CentOS) or 'apt-get update && apt-get upgrade atop' (Debian/Ubuntu). 2. Verify the updated version with 'atop -V'.

🔧 Temporary Workarounds

Disable atop execution

linux

Temporarily disable atop cron jobs or remove execution privileges

chmod -x /usr/bin/atop
systemctl stop atop.service
crontab -e # comment out atop entries

Use secure temporary directory

linux

Configure atop to use secure temporary directory with proper permissions

mkdir -p /var/run/atop
chmod 700 /var/run/atop
export TMPDIR=/var/run/atop

🧯 If You Can't Patch

Restrict atop execution to trusted users only and monitor for unauthorized access
Implement mandatory access controls (SELinux/apparmor) to limit atop's file access capabilities

🔍 How to Verify

Check if Vulnerable:

Check atop version: 'rpm -q atop' (RHEL/CentOS) or 'dpkg -l | grep atop' (Debian/Ubuntu). If version is older than patched versions listed above, system is vulnerable.

Check Version:

atop -V 2>/dev/null || rpm -q atop || dpkg -l | grep atop

Verify Fix Applied:

Verify updated version and check that temporary files are created securely (look for use of mkstemp or similar secure functions).

📡 Detection & Monitoring

Log Indicators:

Unusual file creation in /tmp directories by atop process
Symlink creation attempts in temporary directories
Failed privilege escalation attempts in system logs

Network Indicators:

None - this is a local vulnerability

SIEM Query:

process.name:"atop" AND file.path:"/tmp/*" AND file.action:"create"

📊 Metadata

CVE ID: CVE-2011-3618

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: November 12, 2019

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/security/cve/cve-2011-3618 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3618 Issue Tracking,Patch,Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2011-3618 Third Party Advisory
https://access.redhat.com/security/cve/cve-2011-3618 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3618 Issue Tracking,Patch,Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2011-3618 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2011-3618, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Atop by Atop Project

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable atop execution

Use secure temporary directory

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities