DISA UNIX SRR scripts execute untrusted programs as root

ID VU:433821
Type cert
Reporter CERT
Modified 2009-12-09T00:00:00



The Defense Information Systems Agency (DISA) UNIX Security Readiness Review (SRR) scripts find(1) and execute (-exec) various programs to obtain version information. The SRR scripts are designed to be run as root. An attacker who can write a file under the root file system may be able to exploit this vulnerability to execute arbitrary code with root privileges.


DISA provides SRR scripts to help perform security reviews of various operating systems and applications. The UNIX SRR scripts check versions of various programs by searching the root file system and executing programs with options to display version information. The scripts generally use find(1) with the -exec expression primary. The scripts execute programs based on file name. If an attacker can place a file with an appropriate name on the file system, that file will be executed by the SRR script. The SRR scripts are designed to be run with root privileges.


An attacker who is able to write a file under the root file system (most likely, but not necessarily a local user) can execute arbitrary code with root privileges.


The DISA Field Security Office (FSO) is reviewing the UNIX SRR scripts and preparing changes to address these issues.

Modify SRR scripts

Given sufficient understanding of the SRR scripts, it is possible to modify them to skip the program execution steps or change to a less privileged user before executing the programs.

Determine version information safely

Take care when executing programs as root, to determine version information or for any other reason.

* Determine version information passively, for instance, by checking file properties. 
* Execute programs with version options using a non-privileged account. 
* Execute only trusted programs, for example, using absolute file paths and files/directories that are not writable by non-root users.

Systems Affected

Vendor| Status| Date Notified| Date Updated
DISA Field Security Office (FSO)| | -| 09 Dec 2009
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A


  • <http://www.securityfocus.com/archive/1/508188/100/0/threaded>
  • <http://www.securityfocus.com/archive/1/508332/100/0/threaded>
  • <http://iase.disa.mil/stigs/SRR/unix.html>
  • <http://iase.disa.mil/stigs/>
  • <http://www.dtic.mil/whs/directives/corres/pdf/850001p.pdf>


Thanks to Frank Stuart for reporting these issues and working with DISA FSO.

This document was written by Art Manion.

Other Information

  • CVE IDs: CVE-2009-4211
  • Date Public: 03 Dec 2009
  • Date First Published: 09 Dec 2009
  • Date Last Updated: 09 Dec 2009
  • Severity Metric: 4.63
  • Document Revision: 20