Vulnerability in DISA security scripts could leave systems at risk

The Defense Information Systems Agency (DISA) is warning government administrators not to use its Security Readiness Review (SRR) scripts to evaluate Unix computers because of a vulnerability that could allow applications to install malicious software.

“Due to a recently identified security issue, please do not run any version of the UNIX SRR scripts until further notice,” the DISA Field Security Operation division warned in a notice posted Dec. 5. “The UNIX SRR scripts will be corrected and posted as soon as possible. Please check back at a later time for the updated scripts. Thanks for your understanding and support.”

The affected scripts were released in October. DISA usually releases new scripts every two months.

The SRR scripts verify compliance with Defense Department security implementation guidelines, but the process of checking can leave the host computer vulnerable to root access because suspect applications with administrative privileges are run while searching for the appropriate versions of software.

DISA develops Security Technical Implementation Guides (STIG) for DOD users to standardize the secure configuration and operations of hardware and software through the life cycle of the device or program. DISA also publishes SRR scripts to verify STIG compliance for a variety of operating systems, including Windows Vista, Oracle database, Open VMS, as well as a variety of Unix operating systems. The scripts are available for public use here.

The scripts are run with administrative privileges on the machine being reviewed, which can allow the installation of programs. During the review, the scripts search for items that could create vulnerabilities, in some cases running suspect programs as root to make sure the proper version of the software is being used. Researchers have found that the Unix scripts run Java, OpenSSL, PHP, Snort, Tshark, VNCserver, and Wireshark this way.

If attackers are able to put a malicious file into the filesystem labeled as one of these programs, they could install malicious software such as a root kit on the computer and cover their tracks by telling the script that the proper version was found and that everything is all right.

The workaround for the problem is to avoid running the SRR scripts for Unix until they are replaced in a fixed version. There has been no word on whether scripts for other operating system have similar problems.