CVE-2007-1057

high

Description

The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client.

References

https://www.exploit-db.com/exploits/3356

https://exchange.xforce.ibmcloud.com/vulnerabilities/32597

http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540071

http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021886-01.pdf

http://www.vupen.com/english/advisories/2007/0671

http://www.securitytracker.com/id?1017678

http://www.securityfocus.com/bid/22632

http://spoofed.org/blog/archive/2007/02/nortel_vpn_unix_client_local_root_compromise.html

http://secunia.com/advisories/24231

http://osvdb.org/33304

Details

Source: Mitre, NVD

Published: 2007-02-21

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 6.9

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 7

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00147