Vulnerability in DISA security scripts could leave systems at risk

DISA warns government users not to run Unix Readiness Review Scripts until it is fixed

The Defense Information Systems Agency (DISA) is warning government administrators not to use its Security Readiness Review (SRR) scripts to evaluate Unix computers because of a vulnerability that could allow applications to install malicious software.

“Due to a recently identified security issue, please do not run any version of the UNIX SRR scripts until further notice,” the DISA Field Security Operation division warned in a notice posted Dec. 5. “The UNIX SRR scripts will be corrected and posted as soon as possible. Please check back at a later time for the updated scripts. Thanks for your understanding and support.”

The affected scripts were released in October. DISA usually releases new scripts every two months.

The SRR scripts verify compliance with Defense Department security implementation guidelines, but the process of checking can leave the host computer vulnerable to root access because suspect applications with administrative privileges are run while searching for the appropriate versions of software.

DISA develops Security Technical Implementation Guides (STIG) for DOD users to standardize the secure configuration and operations of hardware and software through the life cycle of the device or program. DISA also publishes SRR scripts to verify STIG compliance for a variety of operating systems, including Windows Vista, Oracle database, Open VMS, as well as a variety of Unix operating systems. The scripts are available for public use here.

The scripts are run with administrative privileges on the machine being reviewed, which can allow the installation of programs. During the review, the scripts search for items that could create vulnerabilities, in some cases running suspect programs as root to make sure the proper version of the software is being used. Researchers have found that the Unix scripts run Java, OpenSSL, PHP, Snort, Tshark, VNCserver, and Wireshark this way.

If attackers are able to put a malicious file into the filesystem labeled as one of these programs, they could install malicious software such as a root kit on the computer and cover their tracks by telling the script that the proper version was found and that everything is all right.

The workaround for the problem is to avoid running the SRR scripts for Unix until they are replaced in a fixed version. There has been no word on whether scripts for other operating system have similar problems.

About the Author

William Jackson is a Maryland-based freelance writer.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.