RSA Identity Governance & Lifecycle Malicious Code Execution by root Vulnerability
3 years ago
Originally Published: 2018-05-02
Article Number
000067212
Applies To
RSA Product NameVersionsPlatforms
RSA Identity Governance & Lifecycle7.1 P01 and earlierRSA hardware appliance
Virtual application (OVA) with RSA-provided database
Virtual application (OVA) with customer-supplied database
Software Bundle with RSA database
Software Bundle for Customer Supplied Database
RSA Identity Governance & Lifecycle7.0.2 P07 and earlier
7.0.1		RSA hardware appliance
Software Bundle (also known as Soft-Appliance) with RSA database
Software Bundle (also known as Soft-Appliance) for Customer Supplied Database
RSA Via Lifecycle & Governance7.0RSA hardware appliance
Software Bundle (also known as Soft-Appliance) with RSA database
Software Bundle (also known as Soft-Appliance) for Customer Supplied Database
CVE Identifier(s)
CVE-2018-11049
Article Summary
Resolution steps for malicious code execution by root vulnerability.
Alert Impact
Impacted - Apply RSA Remedy
Alert Impact Explanation
The presence of a dot in the $PATH variable for the 'root' user may lead to execution of malicious code as the root user. 

Status of any 'dot  (. or :. or .: )' entries within the 'root user's $PATH' variable
Presence of a dot in the $PATH variable for the 'root' user will cause a binary in the current directory to be preferentially executed over other, originally desired, system binaries of the same name.  Therefore, adding the ':.' (colon + dot) to the root $PATH can cause execution of malicious code as the root user.  For example, if the administrator were to log in as root and switch to a directory that had a file called cd within it and that file contained the text rm -rf this command would act in place of the original system cd command and wipe out the contents to the target directory.

Resolution
This issue is fixed in RSA Identity Governance & Lifecycle 7.1.0 P02 and 7.0.2 P08. For all other versions/patch levels, upgrade to the fixed version/patch level or otherwise follow the procedure below to remediate the issue.
  1. Login to the appliance as root
  2. Use the three commands below to backup the files that will be changed.  Each command should return no output and no errors:
mkdir /tmp/ACM-83000-backup
cd ${AVEKSA_HOME}/deploy
cp -t /tmp/ACM-83000-backup /root/setDeployEnv.sh upgrade_utils.sh upgradeDB.sh generateLoginKey.sh oracle/dboraAbort.sh ${AVEKSA_HOME}/database/cliAveksa.sh
  1. Run only one of the following commands, based on your current RSA product version.  No output or errors should be returned:
Product VersionOutput
v7.1.0 P01 and earlier 
sed -i 's/export PATH=".:/export PATH="/' /root/setDeployEnv.sh
v7.0.2 P07 and earlier
v7.0.1
v7.0		 
sed -i 's/export PATH=.:/export PATH=/' /root/setDeployEnv.sh
  1. While still in the ${AVEKSA_HOME}/deploy directory, run the following command.  It should return no output and no errors:
sed -i 's_#!/bin/sh_#!/bin/bash_' upgrade_utils.sh upgradeDB.sh generateLoginKey.sh oracle/dboraAbort.sh ${AVEKSA_HOME}/database/cliAveksa.sh
  1. While still in the ${AVEKSA_HOME}/deploy directory, run the following command to check if the dot has been removed from the PATH statement in /root/setDeployEnv.sh:
grep 'export PATH=' /root/setDeployEnv.sh

The command should display output as shown in the table below, according to the RSA product version:
Product VersionOutput
v7.1.0 P01 and earlier 
export PATH="${ORACLE_HOME}/bin:$PATH"
export PATH="${ORACLE_CLIENT_HOME}:$PATH"
export PATH="${JAVA_HOME}/bin:$PATH"
v7.0.2 P07 and earlier
v7.0.1
v7.0		 
export PATH=$ORACLE_HOME/bin:$ORACLE_CLIENT_HOME:$JAVA_HOME/bin:$PATH
 
  1. While still in the ${AVEKSA_HOME}/deploy directory, use the following command to check if the shell has been changed for the specified script files:
grep -n '#!/bin/bash' upgrade_utils.sh upgradeDB.sh generateLoginKey.sh oracle/dboraAbort.sh ${AVEKSA_HOME}/database/cliAveksa.sh

The command should display the following output:
upgrade_utils.sh:1:#!/bin/bash
upgradeDB.sh:1:#!/bin/bash
generateLoginKey.sh:1:#!/bin/bash
oracle/dboraAbort.sh:1:#!/bin/bash
/home/oracle/database/cliAveksa.sh:1:#!/bin/bash
Notes

Backout

Should you need to backout these changes, the original files can be copied from the backup directory to their original locations as follows:
  1. Login to the appliance as root
  2. Run the following commands:
cp /tmp/ACM-83000-backup/setDeployEnv.sh /root
cp /tmp/ACM-83000-backup/dboraAbort.sh ${AVEKSA_HOME}/deploy/oracle
cp /tmp/ACM-83000-backup/cliAveksa.sh ${AVEKSA_HOME}/database
cp /tmp/ACM-83000-backup/{upgrade_utils.sh,upgradeDB.sh,generateLoginKey.sh} ${AVEKSA_HOME}/deploy
Disclaimer
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Related Articles

Trending Articles

Don't see what you're looking for?