TUCoPS :: BSD :: ciacl037.htm

FreeBSD periodic Uses Insecure Temporary Files
FreeBSD periodic Uses Insecure Temporary Files Privacy and Legal Notice

CIAC INFORMATION BULLETIN

L-037: FreeBSD periodic Uses Insecure Temporary Files

 February 1, 2001 16:00 GMT
PROBLEM: A vulnerability has been found in periodic that causes temporary files with insecure file names to be used in the system's temporary directory.
PLATFORM: FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE prior to 2000-11-11. The problem was corrected prior to the release of FreeBSD 4.2.
DAMAGE: By default, periodic is normally called by cron for daily, weekly, and monthly maintenance. Because these scripts run as root, an attacker may potentially corrupt any file on the system.
SOLUTION: Upgrade the vulnerable FreeBSD system to 4.1.1-STABLE after the correction date or patch your present system. Refer to section V. of this bulletin for additional information.
VULNERABILITY
ASSESSMENT:		 The risk is MEDIUM. A malicious local user could cause arbitrary files on the system to be corrupted. 

[****** Start FreeBSD Advisory ******]

=============================================================================
FreeBSD-SA-01:12                                            Security Advisory
                                                                FreeBSD, Inc.
Topic:        periodic uses insecure temporary files [REVISED]

Category:     core
Module:       periodic
Announced:    2001-01-29
Revised:      2001-01-29
Credits:      David Lary 
Affects:      FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE,
              and 4.1.1-STABLE prior to the correction date.
              No FreeBSD 3.x versions are affected.
Corrected:    2000-11-11
FreeBSD only: Yes

0. Revision History

v1.0 2001-01-29 Initial release
v1.1 2001-01-29 Correctly credit original problem reporter

I. Background

periodic is a program to run periodic system functions.

II. Problem Description

A vulnerability was inadvertently introduced into periodic that caused
temporary files with insecure file names to be used in the system's
temporary directory. This may allow a malicious local user to cause
arbitrary files on the system to be corrupted.

By default, periodic is normally called by cron for daily, weekly, and
monthly maintenance. Because these scripts run as root, an attacker
may potentially corrupt any file on the system.

FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE
prior to the correction date are vulnerable. The problem was
corrected prior to the release of FreeBSD 4.2.

III. Impact

Malicious local users can cause arbitrary files on the system to be
corrupted.

IV. Workaround

Do not allow periodic to be used in untrusted multi-user environments.

Disable the normal periodic system maintenance scripts by either
commenting-out or removing the periodic entries in /etc/crontab.

V. Solution

One of the following:

1) Upgrade the vulnerable FreeBSD system to 4.1.1-STABLE after the
correction date.

2) Affected FreeBSD 4.x systems prior to the correction date:

Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch.asc

Execute the following commands as root:

# cd /usr/src/usr.sbin/periodic
# patch -p < /path/to/patch
# make depend && make all install

[****** End FreeBSD Advisory ******]
CIAC wishes to acknowledge the contributions of FreeBSD for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH