CVE-2017-14609

Name of the Vulnerable Software and Affected Versions Kannel versions 1.5.0 and earlier

Description The server daemons in Kannel create a PID file after dropping privileges to a non-root account. This could allow local users to terminate arbitrary processes by modifying the PID file before a root script executes a command to kill a process using the PID from the file. This issue has been demonstrated with bearerbox.

Recommendations For Kannel versions 1.5.0 and earlier, consider restricting access to the PID file to prevent local users from modifying it, until a fix is available. As a temporary workaround, consider modifying the script that executes the "kill" command to use a more secure method of obtaining the process ID, rather than relying on the contents of the PID file.