search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Linux dump uses environment variables insecurely, allowing for root compromise

Vulnerability Note VU#153653

Original Release Date: 2001-08-21 | Last Revised: 2001-08-21

Overview

Some implementations of the Linux backup utility, dump, call external programs on remote machines via the RSH environment variable. This may permit an attacker to compromise root if dump is setuid root.

Description

Some implementations of the Linux backup utility, dump, permit use of backup devices on remote machines via an access program on the local machine. This access program is identified in the RSH environment variable. The value in the environment variable is not validated for security prior to its use in calling a program. In some implementations, dump is protected setuid root.

Impact

By specifying a shell script of their own devising, malicious local users can exploit the setuid protection on dump to secure root access for themselves to execute arbitrary commands.

Solution

Apply vendor patches; see the Systems Affected section below.

Remove suid protection from dump.

Vendor Information

153653
Expand all

RedHat

Notified:  October 31, 2000 Updated:  July 03, 2001

Status

  Vulnerable

Vendor Statement

http://www.linuxsecurity.com/advisories/redhat_advisory-849.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Notified:  October 31, 2000 Updated:  July 03, 2001

Status

  Not Vulnerable

Vendor Statement

Our last mandatory update of the dump package (June 29th, 2000)brought it up to version 0.4b18 and had the SUID bits disabled.

These packages do not have the vulnerability that could give a local attacker root access.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  July 16, 2001 Updated:  July 23, 2001

Status

  Not Vulnerable

Vendor Statement

Both programs are not installed setuid root or setgid root on a Debian GNU/Linux 2.2 (stable) system nor on Debian unstable (upcoming release).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde

Notified:  July 16, 2001 Updated:  July 23, 2001

Status

  Not Vulnerable

Vendor Statement

We are not vulnerable as we do not ship the dump and restore utilities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  October 31, 2000 Updated:  July 03, 2001

Status

  Not Vulnerable

Vendor Statement

http://www.linux-mandrake.com/en/security/2000/MDKSA-2000-065.php3

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  July 16, 2001 Updated:  July 16, 2001

Status

  Not Vulnerable

Vendor Statement

Our dump & restore have not been setuid or setgid for a very long time. We have also fixed numerous other bugs in them.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  July 16, 2001 Updated:  July 16, 2001

Status

  Not Vulnerable

Vendor Statement

None of the EFS and XFS dump/restore tools in IRIX are setuid root per an SGI engineer, so we believe IRIX is not vulnerable unless proven otherwise.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard

Notified:  July 16, 2001 Updated:  August 07, 2001

Status

  Unknown

Vendor Statement

Vendor could not reproduce this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was first reported throught discussion on Bugtraq

This document was last modified by Tim Shimeall.

Other Information

CVE IDs: CVE-2000-1009
Severity Metric: 18.88
Date Public: 2000-10-31
Date First Published: 2001-08-21
Date Last Updated: 2001-08-21 13:07 UTC
Document Revision: 9

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.