Linux dump uses environment variables insecurely, allowing for root compromise

Overview

Some implementations of the Linux backup utility, dump, call external programs on remote machines via the RSH environment variable. This may permit an attacker to compromise root if dump is setuid root.

Description

Some implementations of the Linux backup utility, dump, permit use of backup devices on remote machines via an access program on the local machine. This access program is identified in the RSH environment variable. The value in the environment variable is not validated for security prior to its use in calling a program. In some implementations, dump is protected setuid root.

---

Impact

By specifying a shell script of their own devising, malicious local users can exploit the setuid protection on dump to secure root access for themselves to execute arbitrary commands.

---

Solution

Apply vendor patches; see the Systems Affected section below.

---

Remove suid protection from dump.

---

Vendor Information

153653

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

RedHat __ Affected

Notified: October 31, 2000 Updated: July 03, 2001

Status

Affected

Vendor Statement

<http://www.linuxsecurity.com/advisories/redhat_advisory-849.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23153653 Feedback>).

Conectiva __ Not Affected

Notified: October 31, 2000 Updated: July 03, 2001

Status

Not Affected

Vendor Statement

Our last mandatory update of the dump package (June 29th, 2000)brought it up to version 0.4b18 and had the SUID bits disabled.

These packages do not have the vulnerability that could give a local attacker root access.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23153653 Feedback>).

Debian __ Not Affected

Notified: July 16, 2001 Updated: July 23, 2001

Status

Not Affected

Vendor Statement

Both programs are not installed setuid root or setgid root on a Debian GNU/Linux 2.2 (stable) system nor on Debian unstable (upcoming release).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23153653 Feedback>).

Engarde __ Not Affected

Notified: July 16, 2001 Updated: July 23, 2001

Status

Not Affected

Vendor Statement

We are not vulnerable as we do not ship the dump and restore utilities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23153653 Feedback>).

MandrakeSoft __ Not Affected

Notified: October 31, 2000 Updated: July 03, 2001

Status

Not Affected

Vendor Statement

<http://www.linux-mandrake.com/en/security/2000/MDKSA-2000-065.php3&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23153653 Feedback>).

OpenBSD __ Not Affected

Notified: July 16, 2001 Updated: July 16, 2001

Status

Not Affected

Vendor Statement

Our dump & restore have not been setuid or setgid for a very long time. We have also fixed numerous other bugs in them.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23153653 Feedback>).

SGI __ Not Affected

Notified: July 16, 2001 Updated: July 16, 2001

Status

Not Affected

Vendor Statement

None of the EFS and XFS dump/restore tools in IRIX are setuid root per an SGI engineer, so we believe IRIX is not vulnerable unless proven otherwise.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23153653 Feedback>).

Hewlett Packard __ Unknown

Notified: July 16, 2001 Updated: August 07, 2001

Status

Unknown

Vendor Statement

Vendor could not reproduce this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23153653 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/1871&gt;
• <http://www.linuxsecurity.com/advisories/redhat_advisory-849.html&gt;
• <http://xforce.iss.net/static/5437.php&gt;

Acknowledgements

This vulnerability was first reported throught discussion on Bugtraq

This document was last modified by Tim Shimeall.

Other Information

CVE IDs:	CVE-2000-1009
Severity Metric:	18.88 Date Public: