This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Platform Product Advisories
Read and subscribe to the latest announcements and advisories relating to the NetWitness Platform.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Products
  • NetWitness Platform
  • Advisories
  • Product Advisories
  • RSA Identity Governance & Lifecycle Malicious Code Execution by root Vulnerability
  • Options
    • Subscribe to RSS Feed
    • Bookmark
    • Subscribe
    • Printer Friendly Page
    • Report Inappropriate Content
RSA Identity Governance & Lifecycle Malicious Code Execution by root Vulnerability

RSA Identity Governance & Lifecycle Malicious Code Execution by root Vulnerability

Article Number

000036315

CVE ID

000036315

Applies To

RSA Product NameVersionsPlatforms
RSA Identity Governance & Lifecycle7.1 P01 and earlierRSA hardware appliance
Virtual application (OVA) with RSA-provided database
Virtual application (OVA) with customer-supplied database
Software Bundle with RSA database
Software Bundle for Customer Supplied Database
RSA Identity Governance & Lifecycle7.0.2 P07 and earlier
7.0.1
RSA hardware appliance
Software Bundle (also known as Soft-Appliance) with RSA database
Software Bundle (also known as Soft-Appliance) for Customer Supplied Database
RSA Via Lifecycle & Governance7.0RSA hardware appliance
Software Bundle (also known as Soft-Appliance) with RSA database
Software Bundle (also known as Soft-Appliance) for Customer Supplied Database

Article Summary

Resolution steps for malicious code execution by root vulnerability.

Alert Impact

Impacted - Apply RSA Remedy

Alert Impact Explanation

The presence of a dot in the $PATH variable for the 'root' user may lead to execution of malicious code as the root user. 

Status of any 'dot  (. or :. or .: )' entries within the 'root user's $PATH' variable
Presence of a dot in the $PATH variable for the 'root' user will cause a binary in the current directory to be preferentially executed over other, originally desired, system binaries of the same name.  Therefore, adding the ':.' (colon + dot) to the root $PATH can cause execution of malicious code as the root user.  For example, if the administrator were to log in as root and switch to a directory that had a file called cd within it and that file contained the text rm -rf this command would act in place of the original system cd command and wipe out the contents to the target directory.

Resolution

This issue is fixed in RSA Identity Governance & Lifecycle 7.1.0 P02 and 7.0.2 P08. For all other versions/patch levels, upgrade to the fixed version/patch level or otherwise follow the procedure below to remediate the issue.
  1. Login to the appliance as root
  2. Use the three commands below to backup the files that will be changed.  Each command should return no output and no errors:
mkdir /tmp/ACM-83000-backup
cd ${AVEKSA_HOME}/deploy
cp -t /tmp/ACM-83000-backup /root/setDeployEnv.sh upgrade_utils.sh upgradeDB.sh generateLoginKey.sh oracle/dboraAbort.sh ${AVEKSA_HOME}/database/cliAveksa.sh
  1. Run only one of the following commands, based on your current RSA product version.  No output or errors should be returned:
Product VersionOutput
v7.1.0 P01 and earlier
sed -i 's/export PATH=".:/export PATH="/' /root/setDeployEnv.sh
v7.0.2 P07 and earlier
v7.0.1
v7.0
sed -i 's/export PATH=.:/export PATH=/' /root/setDeployEnv.sh
  1. While still in the ${AVEKSA_HOME}/deploy directory, run the following command.  It should return no output and no errors:
sed -i 's_#!/bin/sh_#!/bin/bash_' upgrade_utils.sh upgradeDB.sh generateLoginKey.sh oracle/dboraAbort.sh ${AVEKSA_HOME}/database/cliAveksa.sh
  1. While still in the ${AVEKSA_HOME}/deploy directory, run the following command to check if the dot has been removed from the PATH statement in /root/setDeployEnv.sh:
grep 'export PATH=' /root/setDeployEnv.sh

The command should display output as shown in the table below, according to the RSA product version:
Product VersionOutput
v7.1.0 P01 and earlier
export PATH="${ORACLE_HOME}/bin:$PATH"
export PATH="${ORACLE_CLIENT_HOME}:$PATH"
export PATH="${JAVA_HOME}/bin:$PATH"
v7.0.2 P07 and earlier
v7.0.1
v7.0
export PATH=$ORACLE_HOME/bin:$ORACLE_CLIENT_HOME:$JAVA_HOME/bin:$PATH
 
  1. While still in the ${AVEKSA_HOME}/deploy directory, use the following command to check if the shell has been changed for the specified script files:
grep -n '#!/bin/bash' upgrade_utils.sh upgradeDB.sh generateLoginKey.sh oracle/dboraAbort.sh ${AVEKSA_HOME}/database/cliAveksa.sh

The command should display the following output:
upgrade_utils.sh:1:#!/bin/bash
upgradeDB.sh:1:#!/bin/bash
generateLoginKey.sh:1:#!/bin/bash
oracle/dboraAbort.sh:1:#!/bin/bash
/home/oracle/database/cliAveksa.sh:1:#!/bin/bash

Notes

Backout

Should you need to backout these changes, the original files can be copied from the backup directory to their original locations as follows:
  1. Login to the appliance as root
  2. Run the following commands:
cp /tmp/ACM-83000-backup/setDeployEnv.sh /root
cp /tmp/ACM-83000-backup/dboraAbort.sh ${AVEKSA_HOME}/deploy/oracle
cp /tmp/ACM-83000-backup/cliAveksa.sh ${AVEKSA_HOME}/database
cp /tmp/ACM-83000-backup/{upgrade_utils.sh,upgradeDB.sh,generateLoginKey.sh} ${AVEKSA_HOME}/deploy
Tags (54)
  • 7
  • 7.0
  • 7.0 P1
  • 7.0 P2
  • 7.0 Patch 1
  • 7.0 Patch 2
  • 7.0.0
  • 7.0.0.x
  • 7.0.1
  • 7.0.1.x
  • 7.0.2
  • 7.0.2.x
  • 7.0.x
  • 7.1
  • 7.1.x
  • 7.x
  • Advisory
  • All Products
  • All RSA Products
  • Customer Support
  • Customer Support Article
  • CVE
  • High Profile
  • Impact
  • Impacted
  • KB Article
  • Knowledge Article
  • Knowledge Base
  • Recommendation
  • RSA Security Advisory
  • RSA Security Alert
  • Security Advisory
  • Security Advisory Article
  • Security Alert
  • Security Notification
  • Security Recommendations
  • Security Warning
  • Version 7
  • Version 7.0
  • Version 7.0.0
  • Version 7.0.0.x
  • Version 7.0.1
  • Version 7.0.1.x
  • Version 7.0.2
  • Version 7.0.2.x
  • Version 7.0.x
  • Version 7.1
  • Version 7.1.x
  • Version 7.x
  • Vuln
  • Vulnerabilities
  • Vulnerability
  • Vulnerability Warning
  • Vulnerable
0 Likes
Was this article helpful? Yes No
Share
No ratings

In this article

Version history
Last update:
‎2020-12-12 08:21 PM
Updated by:
Administrator RSA-KB-Sync Administrator

Related Content

Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.