|
|
| PROBLEM: | During internal auditing, sort(1) was found to use easily predictable temporary file names. It does create these temporary files correctly such that they cannot be "subverted" by a symlink attack, but the program will abort if the temporary filename chosen is already in use. |
| PLATFORM: | FreeBSD 3.x (all releases), FreeBSD 4.x (all releases prior to 4.2), FreeBSD 3.5-STABLE prior to the correction date. |
| DAMAGE: | Attackers can cause the operation of sort(1) to fail, possibly disrupting aspects of system operation. |
| SOLUTION: | Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE, 4.2-RELEASE, or 4.2-STABLE after the correction date or patch your present system. Refer to section V. of this bulletin for additional information. |
| VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. An attacker could cause the sort(1) command to abort resulting in management scripts that rely on sort to miss malicious system activity. |
[****** Start FreeBSD Advisory ******]
=============================================================================
FreeBSD-SA-01:13 Security Advisory
FreeBSD, Inc.
Topic: sort uses insecure temporary files
Category: core
Module: sort
Announced: 2001-01-29
Credits: Discovered during internal auditing
Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases
prior to 4.2), FreeBSD 3.5-STABLE prior to the
correction date.
Corrected: 2000-11-11 (FreeBSD 4.1.1-STABLE)
2001-01-01 (FreeBSD 3.5-STABLE)
FreeBSD only: NO
I. Background
sort(1) is a program to sort lines of text. It is externally
maintained, contributed software which is included in FreeBSD by
default.
II. Problem Description
During internal auditing, sort(1) was found to use easily predictable
temporary file names. It does create these temporary files correctly
such that they cannot be "subverted" by a symlink attack, but the
program will abort if the temporary filename chosen is already in use.
This allows an attacker to cause the sort(1) command to abort, which
may have a cascade effect on other scripts which make use of it (such
as system management and reporting scripts). For example, it may be
possible to use this failure mode to hide the reporting of malicious
system activity which would otherwise be detected by a management
script.
All released versions of FreeBSD prior to the correction date including
FreeBSD 3.5.1 and FreeBSD 4.1.1 are vulnerable. The problem was
corrected prior to the release of FreeBSD 4.2.
III. Impact
Attackers can cause the operation of sort(1) to fail, possibly
disrupting aspects of system operation.
IV. Workaround
None appropriate.
V. Solution
One of the following:
Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE,
4.2-RELEASE, or 4.2-STABLE after the correction date.
To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:
[FreeBSD 4.1.1 base system]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch.asc
Verify the detached PGP signature using your PGP utility.
# cd /usr/src/gnu/usr.bin/sort
# patch -p < /path/to/patch
# make depend && make all install
[FreeBSD 3.5.1 base system]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-3.5.1.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-3.5.1.patch.asc
Verify the detached PGP signature using your PGP utility.
# cd /usr/src/gnu/usr.bin/sort
# patch -p < /path/to/patch
# make depend && make all install
[****** End FreeBSD Advisory ******]
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov
(same machine -- either one will work)
Anonymous FTP: ftp.ciac.org
ciac.llnl.gov
(same machine -- either one will work)