Vulnerability Note VU#153653
Linux dump uses environment variables insecurely, allowing for root compromise
Some implementations of the Linux backup utility, dump, call external programs on remote machines via the RSH environment variable. This may permit an attacker to compromise root if dump is setuid root.
Some implementations of the Linux backup utility, dump, permit use of backup devices on remote machines via an access program on the local machine. This access program is identified in the RSH environment variable. The value in the environment variable is not validated for security prior to its use in calling a program. In some implementations, dump is protected setuid root.
By specifying a shell script of their own devising, malicious local users can exploit the setuid protection on dump to secure root access for themselves to execute arbitrary commands.
Apply vendor patches; see the Systems Affected section below.
Remove suid protection from dump.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|RedHat||Affected||31 Oct 2000||03 Jul 2001|
|Conectiva||Not Affected||31 Oct 2000||03 Jul 2001|
|Debian||Not Affected||16 Jul 2001||23 Jul 2001|
|Engarde||Not Affected||16 Jul 2001||23 Jul 2001|
|MandrakeSoft||Not Affected||31 Oct 2000||03 Jul 2001|
|OpenBSD||Not Affected||16 Jul 2001||16 Jul 2001|
|SGI||Not Affected||16 Jul 2001||16 Jul 2001|
|Hewlett Packard||Unknown||16 Jul 2001||07 Aug 2001|
CVSS Metrics (Learn More)
This vulnerability was first reported throught discussion on Bugtraq
This document was last modified by Tim Shimeall.
- CVE IDs: CAN-2000-1009
- Date Public: 31 Oct 2000
- Date First Published: 21 Aug 2001
- Date Last Updated: 21 Aug 2001
- Severity Metric: 18.88
- Document Revision: 9
If you have feedback, comments, or additional information about this vulnerability, please send us email.