search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Red Hat linux restore uses insecure environment variables allowing root compromise

Vulnerability Note VU#960877

Original Release Date: 2001-08-21 | Last Revised: 2001-08-21

Overview

Some implementations of the Linux restoration utility, restore, call external programs on remote machines via the RSH environment variable. This may permit an attacker to compromise root if restore is setuid root.

Description

Some implementations of the Linux restoration utility, restore, permit use of storage devices on remote machines via an access program on the local machine. This access program is identified in the RSH environment variable. The value in the environment variable is not validated for security prior to its use in calling a program. In some implementations, restore is protected setuid root.

Impact

By specifying a shell script of their own devising, malicious local users can exploit the setuid protection on restore to secure root access for themselves to execute arbitrary commands.

Solution

Apply vendor patches; see the Systems Affected section below.

Remove the setuid protection from restore.

Vendor Information

960877
 
Affected   Unknown   Unaffected

RedHat

Notified:  October 31, 2000 Updated:  July 23, 2001

Status

  Vulnerable

Vendor Statement

http://www.linuxsecurity.com/advisories/redhat_advisory-849.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  July 16, 2001 Updated:  July 23, 2001

Status

  Not Vulnerable

Vendor Statement

Both programs are not installed setuid root or setgid root on a Debian GNU/Linux 2.2 (stable) system nor on Debian unstable (upcoming release).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde

Notified:  July 16, 2001 Updated:  July 23, 2001

Status

  Not Vulnerable

Vendor Statement

We are not vulnerable as we do not ship the dump and restore utilities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  July 16, 2001 Updated:  July 23, 2001

Status

  Not Vulnerable

Vendor Statement

Our dump & restore have not been setuid or setgid for a very long time. We have also fixed numerous other bugs in them.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  July 16, 2001 Updated:  July 16, 2001

Status

  Not Vulnerable

Vendor Statement

None of the EFS and XFS dump/restore tools in IRIX are setuid root per an SGI engineer, so we believe IRIX is not vulnerable unless proven otherwise.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard

Notified:  July 16, 2001 Updated:  August 07, 2001

Status

  Unknown

Vendor Statement

Vendor could not reproduce this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was first reported through discussion on Bugtraq .

This document was last modified by Tim Shimeall.

Other Information

CVE IDs: CVE-2000-1125
Severity Metric: 20.06
Date Public: 2000-11-04
Date First Published: 2001-08-21
Date Last Updated: 2001-08-21 13:10 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.