000029163 - How to mitigate CVE-2014-4877 (WGET FTP Symlink Attack Vulnerability) on AM 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Jun 17, 2016
Version 7Show Document
  • View in full screen mode

Article Content

Article Number000029163
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: Other
Platform (Other): na
O/S Version: Other
Product Name: null
Product Description: null
IssueAM 8.1 P5 and earlier will Scan positive for CVE-2014-4877 (WGET FTP Symlink Attack Vulnerability)
While AM 7.1 cannot be exploited because it does not have any wget libraries, AM 8.1 could be vulnerable if an admin or root account manually activated a wget FTP session to a compromised external FTP site.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
 
Tasks

No AM does not use wget internally for FTP. The attack can occur only if the customer logs in as rsaadmin and manually runs wget to retrieve/download data from an attacker controlled remote FTP server.
RSA strongly recommends customers to not download data into the appliance from external sources. See security configuration guide. If the customers do not run wget specifically, they do not need to change anything.


Technically, we have a mitigation in the below link, by changing the configuration in /etc/wgetrc.


https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access

ResolutionMitigation.

Technically, we can have a mitigation as mentioned in this link, by changing the configuration in /etc/wgetrc.

Which says “you can mitigate the issue by adding the line "retr-symlinks=on" to either /etc/wgetrc or ~/.wgetrc”
wget

# vi /etc/wgetrc        (or Engineering says instead of vi /etc/wgetrc, use :-> sudo vi /etc/wgetrc)

scroll down

i for insert

retr-symlinks=on

<esc> to exit Insert mode

:wq     to save            :q!   to exit with no save
Notes

Overview
Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877


Problem Description:
Updated wget package fixes security vulnerability:
Wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP (CVE-2014-4877).


The default settings in wget have been changed such that wget no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval. The old behaviour can be attained by passing the --retr-symlinks=no option to the wget command.
http://www.linuxsecurity.com/content/view/162561

Attachments

    Outcomes