[原文]install.iss installation script for Internet Security Scanner (ISS) for Linux, version 5.3, allows local users to change the permissions of arbitrary files via a symlink attack on a temporary file.
[CNNVD]Linux Internet Security Scanner (ISS) install.iss权限许可漏洞(CNNVD-199902-046)
ISS Security Scanner Installer Temporary File Symlink
Local Access Required
Loss of Integrity
Internet Security Systems' Internet Security Scanner contains a flaw that allows a local attacker to cause a denial of service, truncate arbitrary files and potentially gain elevated priveleges. The issue is due to the installation script and calls to the /tmp directory, which are not properly checked. If an attacker is aware of an administrator's plans to install ISS on a system, they can prepare their own custom files in the /tmp directory to exploit these conditions.
Upgrade to version 6.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.