Vulnerability in DISA security scripts could leave systems at risk

DISA warns government users not to run Unix Readiness Review Scripts until it is fixed

The Defense Information Systems Agency (DISA) is warning government administrators not to use its Security Readiness Review (SRR) scripts to evaluate Unix computers because of a vulnerability that could allow applications to install malicious software.

“Due to a recently identified security issue, please do not run any version of the UNIX SRR scripts until further notice,” the DISA Field Security Operation division warned in a notice posted Dec. 5. “The UNIX SRR scripts will be corrected and posted as soon as possible. Please check back at a later time for the updated scripts. Thanks for your understanding and support.”

The affected scripts were released in October. DISA usually releases new scripts every two months.

The SRR scripts verify compliance with Defense Department security implementation guidelines, but the process of checking can leave the host computer vulnerable to root access because suspect applications with administrative privileges are run while searching for the appropriate versions of software.

DISA develops Security Technical Implementation Guides (STIG) for DOD users to standardize the secure configuration and operations of hardware and software through the life cycle of the device or program. DISA also publishes SRR scripts to verify STIG compliance for a variety of operating systems, including Windows Vista, Oracle database, Open VMS, as well as a variety of Unix operating systems. The scripts are available for public use here.

The scripts are run with administrative privileges on the machine being reviewed, which can allow the installation of programs. During the review, the scripts search for items that could create vulnerabilities, in some cases running suspect programs as root to make sure the proper version of the software is being used. Researchers have found that the Unix scripts run Java, OpenSSL, PHP, Snort, Tshark, VNCserver, and Wireshark this way.

If attackers are able to put a malicious file into the filesystem labeled as one of these programs, they could install malicious software such as a root kit on the computer and cover their tracks by telling the script that the proper version was found and that everything is all right.

The workaround for the problem is to avoid running the SRR scripts for Unix until they are replaced in a fixed version. There has been no word on whether scripts for other operating system have similar problems.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • cybersecure new york city

    Cybersecurity for smart cities: Changing from reactionary to proactive

Reader Comments

Thu, Dec 10, 2009 Ed Columbia, MD

The title of this article suggests that after the script is run, your system is less secure. This is absolutely not the case. The vulnerability is more of a privilege escalation, and is only effective with prior planning before the script is run. Not vulnerability exists afterwards... in other words: "Vulnerability in DISA security scripts would NOT leave systems at risk". Just a thought. It's these kind of titles that freak people out unnecessarily, and get managers all up in arms for no reason.

Wed, Dec 9, 2009 Jamie Adams Herndon, VA

Executing a command to determine its version during a scan is a lot like placing your hand on a stove to see if it is hot rather than checking the stove's gauges first. Granted DISA's challenge is script portability. We have elaborated and discussed alternatives techniques on this vulnerability here: http://tcs-security-blanket.blogspot.com/2009/12/disa-unix-srr-vulnerability.html

Wed, Dec 9, 2009

12/09/09 7:59am - Updated UNIX scripts and checklists are now available on IASE and should be used instead of previous versions. Please refer to Appendix D for list of changes to the checklist and README file for changes made to scripts.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group