RSA Identity Governance & Lifecycle Malicious Code Execution by root Vulnerability

000036315

CVE-2018-11049

Resolution steps for malicious code execution by root vulnerability.

Impacted - Apply RSA Remedy

The presence of a dot in the $PATH variable for the 'root' user may lead to execution of malicious code as the root user. 

Status of any 'dot  (. or :. or .: )' entries within the 'root user's $PATH' variable
Presence of a dot in the $PATH variable for the 'root' user will cause a binary in the current directory to be preferentially executed over other, originally desired, system binaries of the same name.  Therefore, adding the ':.' (colon + dot) to the root $PATH can cause execution of malicious code as the root user.  For example, if the administrator were to log in as root and switch to a directory that had a file called cd within it and that file contained the text rm -rf this command would act in place of the original system cd command and wipe out the contents to the target directory.

This issue is fixed in RSA Identity Governance & Lifecycle 7.1.0 P02 and 7.0.2 P08. For all other versions/patch levels, upgrade to the fixed version/patch level or otherwise follow the procedure below to remediate the issue.

1. Login to the appliance as root
2. Use the three commands below to backup the files that will be changed.  Each command should return no output and no errors:

3. Run only one of the following commands, based on your current RSA product version.  No output or errors should be returned:

4. While still in the ${AVEKSA_HOME}/deploy directory, run the following command.  It should return no output and no errors:

5. While still in the ${AVEKSA_HOME}/deploy directory, run the following command to check if the dot has been removed from the PATH statement in /root/setDeployEnv.sh:

6. While still in the ${AVEKSA_HOME}/deploy directory, use the following command to check if the shell has been changed for the specified script files:

Backout

Should you need to backout these changes, the original files can be copied from the backup directory to their original locations as follows:

1. Login to the appliance as root
2. Run the following commands:

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.