RSA Identity Governance & Lifecycle Malicious Code Execution by root Vulnerability

3 years ago

Originally Published: 2018-05-02

Article Number

000067212

Applies To

RSA Product Name	Versions	Platforms
RSA Identity Governance & Lifecycle	7.1 P01 and earlier	RSA hardware appliance Virtual application (OVA) with RSA-provided database Virtual application (OVA) with customer-supplied database Software Bundle with RSA database Software Bundle for Customer Supplied Database
RSA Identity Governance & Lifecycle	7.0.2 P07 and earlier 7.0.1	RSA hardware appliance Software Bundle (also known as Soft-Appliance) with RSA database Software Bundle (also known as Soft-Appliance) for Customer Supplied Database
RSA Via Lifecycle & Governance	7.0	RSA hardware appliance Software Bundle (also known as Soft-Appliance) with RSA database Software Bundle (also known as Soft-Appliance) for Customer Supplied Database

CVE Identifier(s)

CVE-2018-11049

Article Summary

Resolution steps for malicious code execution by root vulnerability.

Alert Impact

Impacted - Apply RSA Remedy

Alert Impact Explanation

The presence of a dot in the $PATH variable for the 'root' user may lead to execution of malicious code as the root user.

Status of any 'dot (. or :. or .: )' entries within the 'root user's $PATH' variable
Presence of a dot in the $PATH variable for the 'root' user will cause a binary in the current directory to be preferentially executed over other, originally desired, system binaries of the same name. Therefore, adding the ':.' (colon + dot) to the root $PATH can cause execution of malicious code as the root user. For example, if the administrator were to log in as root and switch to a directory that had a file called cd within it and that file contained the text rm -rf this command would act in place of the original system cd command and wipe out the contents to the target directory.

Resolution

This issue is fixed in RSA Identity Governance & Lifecycle 7.1.0 P02 and 7.0.2 P08. For all other versions/patch levels, upgrade to the fixed version/patch level or otherwise follow the procedure below to remediate the issue.

Login to the appliance as root
Use the three commands below to backup the files that will be changed. Each command should return no output and no errors:

mkdir /tmp/ACM-83000-backup
cd ${AVEKSA_HOME}/deploy
cp -t /tmp/ACM-83000-backup /root/setDeployEnv.sh upgrade_utils.sh upgradeDB.sh generateLoginKey.sh oracle/dboraAbort.sh ${AVEKSA_HOME}/database/cliAveksa.sh

Run only one of the following commands, based on your current RSA product version. No output or errors should be returned:

Product Version	Output
v7.1.0 P01 and earlier	sed -i 's/export PATH=".:/export PATH="/' /root/setDeployEnv.sh
v7.0.2 P07 and earlier v7.0.1 v7.0	sed -i 's/export PATH=.:/export PATH=/' /root/setDeployEnv.sh

While still in the ${AVEKSA_HOME}/deploy directory, run the following command. It should return no output and no errors:

sed -i 's_#!/bin/sh_#!/bin/bash_' upgrade_utils.sh upgradeDB.sh generateLoginKey.sh oracle/dboraAbort.sh ${AVEKSA_HOME}/database/cliAveksa.sh

While still in the ${AVEKSA_HOME}/deploy directory, run the following command to check if the dot has been removed from the PATH statement in /root/setDeployEnv.sh:

grep 'export PATH=' /root/setDeployEnv.sh

The command should display output as shown in the table below, according to the RSA product version:

Product Version	Output
v7.1.0 P01 and earlier	export PATH="${ORACLE_HOME}/bin:$PATH" export PATH="${ORACLE_CLIENT_HOME}:$PATH" export PATH="${JAVA_HOME}/bin:$PATH"
v7.0.2 P07 and earlier v7.0.1 v7.0	export PATH=$ORACLE_HOME/bin:$ORACLE_CLIENT_HOME:$JAVA_HOME/bin:$PATH

While still in the ${AVEKSA_HOME}/deploy directory, use the following command to check if the shell has been changed for the specified script files:

grep -n '#!/bin/bash' upgrade_utils.sh upgradeDB.sh generateLoginKey.sh oracle/dboraAbort.sh ${AVEKSA_HOME}/database/cliAveksa.sh

The command should display the following output:

upgrade_utils.sh:1:#!/bin/bash
upgradeDB.sh:1:#!/bin/bash
generateLoginKey.sh:1:#!/bin/bash
oracle/dboraAbort.sh:1:#!/bin/bash
/home/oracle/database/cliAveksa.sh:1:#!/bin/bash

Notes

Backout

Should you need to backout these changes, the original files can be copied from the backup directory to their original locations as follows:

Login to the appliance as root
Run the following commands:

cp /tmp/ACM-83000-backup/setDeployEnv.sh /root
cp /tmp/ACM-83000-backup/dboraAbort.sh ${AVEKSA_HOME}/deploy/oracle
cp /tmp/ACM-83000-backup/cliAveksa.sh ${AVEKSA_HOME}/database
cp /tmp/ACM-83000-backup/{upgrade_utils.sh,upgradeDB.sh,generateLoginKey.sh} ${AVEKSA_HOME}/deploy

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Don't see what you're looking for?

Backout

Related Articles

Trending Articles