Date: 31 January 2001
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.042 -- FreeBSD-SA-01:12.periodic [REVISED]
periodic uses insecure temporary files
31 January 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: periodic
Vendor: FreeBSD
Operating System: FreeBSD
Impact: Overwrite Arbitrary Files
Access Required: Existing Account
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:12 Security Advisory
FreeBSD, Inc.
Topic: periodic uses insecure temporary files [REVISED]
Category: core
Module: periodic
Announced: 2001-01-29
Revised: 2001-01-29
Credits: David Lary <dlary@secureworks.net>
Affects: FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE,
and 4.1.1-STABLE prior to the correction date.
No FreeBSD 3.x versions are affected.
Corrected: 2000-11-11
FreeBSD only: Yes
0. Revision History
v1.0 2001-01-29 Initial release
v1.1 2001-01-29 Correctly credit original problem reporter
I. Background
periodic is a program to run periodic system functions.
II. Problem Description
A vulnerability was inadvertently introduced into periodic that caused
temporary files with insecure file names to be used in the system's
temporary directory. This may allow a malicious local user to cause
arbitrary files on the system to be corrupted.
By default, periodic is normally called by cron for daily, weekly, and
monthly maintenance. Because these scripts run as root, an attacker
may potentially corrupt any file on the system.
FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE
prior to the correction date are vulnerable. The problem was
corrected prior to the release of FreeBSD 4.2.
III. Impact
Malicious local users can cause arbitrary files on the system to be
corrupted.
IV. Workaround
Do not allow periodic to be used in untrusted multi-user environments.
Disable the normal periodic system maintenance scripts by either
commenting-out or removing the periodic entries in /etc/crontab.
V. Solution
One of the following:
1) Upgrade the vulnerable FreeBSD system to 4.1.1-STABLE after the
correction date.
2) Affected FreeBSD 4.x systems prior to the correction date:
Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch.asc
Execute the following commands as root:
# cd /usr/src/usr.sbin/periodic
# patch -p < /path/to/patch
# make depend && make all install
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBOnXa7lUuHi5z0oilAQHW2AP7BP+YRA93Guy+ImRy1O2IHw/6qYBivSA1
fpYrTERUyyBHbe04KypWjloHfzvKIZoYApXdleECkVBPMYwNPNixTYVrU4zR4qbC
EjgtF4OhjLjmO/LqbKPiwDC7TEWWi3OtPWwpJlqT7uNoHmg+o6ySTJPPyrpAFuUQ
FS8I+DjVESA=
=wBFp
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOng0XCh9+71yA2DNAQEwyAP6AjuAqtM3ZDWeMzWleZvPvA4CNJx6l3kr
C0T/GEcENVpqIL5D0Scq24AcPxcv96zdYsAtT/xs4Hhs0xf0SUnaQaU3dWwePTyJ
AhtP9jaqlWkaaDyPhK4nHojRJfSwQ5uDWHat6u/YySyNSEjJbZmR7flruHRu6E+g
azHo4rfUCd8=
=60tb
-----END PGP SIGNATURE-----
|