Red Hat linux restore uses insecure environment variables allowing root compromise

Overview

Some implementations of the Linux restoration utility, restore, call external programs on remote machines via the RSH environment variable. This may permit an attacker to compromise root if restore is setuid root.

Description

Some implementations of the Linux restoration utility, restore, permit use of storage devices on remote machines via an access program on the local machine. This access program is identified in the RSH environment variable. The value in the environment variable is not validated for security prior to its use in calling a program. In some implementations, restore is protected setuid root.

---

Impact

By specifying a shell script of their own devising, malicious local users can exploit the setuid protection on restore to secure root access for themselves to execute arbitrary commands.

---

Solution

Apply vendor patches; see the Systems Affected section below.

---

Remove the setuid protection from restore.

---

Vendor Information

960877

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

RedHat __ Affected

Notified: October 31, 2000 Updated: July 23, 2001

Status

Affected

Vendor Statement

<http://www.linuxsecurity.com/advisories/redhat_advisory-849.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23960877 Feedback>).

Debian __ Not Affected

Notified: July 16, 2001 Updated: July 23, 2001

Status

Not Affected

Vendor Statement

Both programs are not installed setuid root or setgid root on a Debian GNU/Linux 2.2 (stable) system nor on Debian unstable (upcoming release).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23960877 Feedback>).

Engarde __ Not Affected

Notified: July 16, 2001 Updated: July 23, 2001

Status

Not Affected

Vendor Statement

We are not vulnerable as we do not ship the dump and restore utilities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23960877 Feedback>).

OpenBSD __ Not Affected

Notified: July 16, 2001 Updated: July 23, 2001

Status

Not Affected

Vendor Statement

Our dump & restore have not been setuid or setgid for a very long time. We have also fixed numerous other bugs in them.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23960877 Feedback>).

SGI __ Not Affected

Notified: July 16, 2001 Updated: July 16, 2001

Status

Not Affected

Vendor Statement

None of the EFS and XFS dump/restore tools in IRIX are setuid root per an SGI engineer, so we believe IRIX is not vulnerable unless proven otherwise.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23960877 Feedback>).

Hewlett Packard __ Unknown

Notified: July 16, 2001 Updated: August 07, 2001

Status

Unknown

Vendor Statement

Vendor could not reproduce this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23960877 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

<http://www.securityfocus.com/bid/1914&gt;

Acknowledgements

This vulnerability was first reported through discussion on Bugtraq .

This document was last modified by Tim Shimeall.

Other Information

CVE IDs:	CVE-2000-1125
Severity Metric:	20.06 Date Public: