Vulnerability in DISA security scripts could leave systems at risk

DISA warns government users not to run Unix Readiness Review Scripts until it is fixed

The Defense Information Systems Agency (DISA) is warning government administrators not to use its Security Readiness Review (SRR) scripts to evaluate Unix computers because of a vulnerability that could allow applications to install malicious software.

“Due to a recently identified security issue, please do not run any version of the UNIX SRR scripts until further notice,” the DISA Field Security Operation division warned in a notice posted Dec. 5. “The UNIX SRR scripts will be corrected and posted as soon as possible. Please check back at a later time for the updated scripts. Thanks for your understanding and support.”

The affected scripts were released in October. DISA usually releases new scripts every two months.

The SRR scripts verify compliance with Defense Department security implementation guidelines, but the process of checking can leave the host computer vulnerable to root access because suspect applications with administrative privileges are run while searching for the appropriate versions of software.

DISA develops Security Technical Implementation Guides (STIG) for DOD users to standardize the secure configuration and operations of hardware and software through the life cycle of the device or program. DISA also publishes SRR scripts to verify STIG compliance for a variety of operating systems, including Windows Vista, Oracle database, Open VMS, as well as a variety of Unix operating systems. The scripts are available for public use here.

The scripts are run with administrative privileges on the machine being reviewed, which can allow the installation of programs. During the review, the scripts search for items that could create vulnerabilities, in some cases running suspect programs as root to make sure the proper version of the software is being used. Researchers have found that the Unix scripts run Java, OpenSSL, PHP, Snort, Tshark, VNCserver, and Wireshark this way.

If attackers are able to put a malicious file into the filesystem labeled as one of these programs, they could install malicious software such as a root kit on the computer and cover their tracks by telling the script that the proper version was found and that everything is all right.

The workaround for the problem is to avoid running the SRR scripts for Unix until they are replaced in a fixed version. There has been no word on whether scripts for other operating system have similar problems.

About the Author

William Jackson is a Maryland-based freelance writer.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.