RSA Identity Governance & Lifecycle Malicious Code Execution by root Vulnerability

Advisory Type

Unknown

Advisory Content

Article Number

000036315

CVE ID

000036315

Applies To

Article Summary

Resolution steps for malicious code execution by root vulnerability.

Alert Impact

Impacted - Apply RSA Remedy

Alert Impact Explanation

The presence of a dot in the $PATH variable for the 'root' user may lead to execution of malicious code as the root user.

Status of any 'dot (. or :. or .: )' entries within the 'root user's $PATH' variable
Presence of a dot in the $PATH variable for the 'root' user will cause a binary in the current directory to be preferentially executed over other, originally desired, system binaries of the same name. Therefore, adding the ':.' (colon + dot) to the root $PATH can cause execution of malicious code as the root user. For example, if the administrator were to log in as root and switch to a directory that had a file called cd within it and that file contained the text rm -rf this command would act in place of the original system cd command and wipe out the contents to the target directory.

Resolution

This issue is fixed in RSA Identity Governance & Lifecycle 7.1.0 P02 and 7.0.2 P08. For all other versions/patch levels, upgrade to the fixed version/patch level or otherwise follow the procedure below to remediate the issue.

Login to the appliance as root
Use the three commands below to backup the files that will be changed. Each command should return no output and no errors:

    mkdir /tmp/ACM-83000-backup
    
cd ${AVEKSA_HOME}/deploy
    
cp -t /tmp/ACM-83000-backup /root/setDeployEnv.sh upgrade_utils.sh upgradeDB.sh generateLoginKey.sh oracle/dboraAbort.sh ${AVEKSA_HOME}/database/cliAveksa.sh

Run only one of the following commands, based on your current RSA product version. No output or errors should be returned:

While still in the ${AVEKSA_HOME}/deploy directory, run the following command. It should return no output and no errors:

    sed -i 's_#!/bin/sh_#!/bin/bash_' upgrade_utils.sh upgradeDB.sh generateLoginKey.sh oracle/dboraAbort.sh ${AVEKSA_HOME}/database/cliAveksa.sh
   

While still in the ${AVEKSA_HOME}/deploy directory, run the following command to check if the dot has been removed from the PATH statement in /root/setDeployEnv.sh:

    grep 'export PATH=' /root/setDeployEnv.sh
   

The command should display output as shown in the table below, according to the RSA product version:

While still in the ${AVEKSA_HOME}/deploy directory, use the following command to check if the shell has been changed for the specified script files:

    grep -n '#!/bin/bash' upgrade_utils.sh upgradeDB.sh generateLoginKey.sh oracle/dboraAbort.sh ${AVEKSA_HOME}/database/cliAveksa.sh
   

The command should display the following output:

    upgrade_utils.sh:1:#!/bin/bash
    
upgradeDB.sh:1:#!/bin/bash
    
generateLoginKey.sh:1:#!/bin/bash
    
oracle/dboraAbort.sh:1:#!/bin/bash
    
/home/oracle/database/cliAveksa.sh:1:#!/bin/bash

Notes

Backout

Should you need to backout these changes, the original files can be copied from the backup directory to their original locations as follows:

Login to the appliance as root
Run the following commands:

    cp /tmp/ACM-83000-backup/setDeployEnv.sh /root
    
cp /tmp/ACM-83000-backup/dboraAbort.sh ${AVEKSA_HOME}/deploy/oracle
    
cp /tmp/ACM-83000-backup/cliAveksa.sh ${AVEKSA_HOME}/database
    
cp /tmp/ACM-83000-backup/{upgrade_utils.sh,upgradeDB.sh,generateLoginKey.sh} ${AVEKSA_HOME}/deploy