CERTVU:433821DISA UNIX SRR scripts execute untrusted programs as root
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
37.3%
Overview
The Defense Information Systems Agency (DISA) UNIX Security Readiness Review (SRR) scripts find(1) and execute (-exec) various programs to obtain version information. The SRR scripts are designed to be run as root. An attacker who can write a file under the root file system may be able to exploit this vulnerability to execute arbitrary code with root privileges.
Description
DISA provides SRR scripts to help perform security reviews of various operating systems and applications. The UNIX SRR scripts check versions of various programs by searching the root file system and executing programs with options to display version information. The scripts generally use find(1) with the -exec expression primary. The scripts execute programs based on file name. If an attacker can place a file with an appropriate name on the file system, that file will be executed by the SRR script. The SRR scripts are designed to be run with root privileges.
Impact
An attacker who is able to write a file under the root file system (most likely, but not necessarily a local user) can execute arbitrary code with root privileges.
Solution
The DISA Field Security Office (FSO) is reviewing the UNIX SRR scripts and preparing changes to address these issues.
Modify SRR scripts
Given sufficient understanding of the SRR scripts, it is possible to modify them to skip the program execution steps or change to a less privileged user before executing the programs.
Determine version information safely
Take care when executing programs as root, to determine version information or for any other reason.
* Determine version information passively, for instance, by checking file properties.
* Execute programs with version options using a non-privileged account.
* Execute only trusted programs, for example, using absolute file paths and files/directories that are not writable by non-root users.
Vendor Information
433821
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
DISA Field Security Office (FSO) __ Affected
Updated: December 09, 2009
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The DISA Field Security Office (FSO) is reviewing the UNIX SRR scripts and preparing changes to address these issues.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.securityfocus.com/archive/1/508188/100/0/threaded>
- <http://www.securityfocus.com/archive/1/508332/100/0/threaded>
- <http://iase.disa.mil/stigs/SRR/unix.html>
- <http://iase.disa.mil/stigs/>
- <http://www.dtic.mil/whs/directives/corres/pdf/850001p.pdf>
Acknowledgements
Thanks to Frank Stuart for reporting these issues and working with DISA FSO.
This document was written by Art Manion.
Other Information
| CVE IDs: | CVE-2009-4211 |
|---|---|
| Severity Metric: | 4.63 Date Public: |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
37.3%