COMMAND

    InoculateIT

SYSTEMS AFFECTED

    InoculateIT for Linux

PROBLEM

    Chris Wilson found  following.  He  discovered a security  flaw (a
    /tmp race condition) in Computer Associates' InoculateIT  product,
    a good  virus scanner  for Microsoft  and UNIX  platforms which is
    free for personal  use.  The  vulnerability allows local  users to
    deny service to the system or possibly gain root privileges.

    The vulnerability affects some UNIX versions of InoculateIT  under
    certain conditions.   Although we tested  the Linux version,  this
    version is not vulnerable under normal circumstances.  However, it
    is believed that other UNIX versions are basically identical  and,
    given the necessary directory  layout, will be vulnerable  to this
    attack.

    The update_signature script, at least in the Linux version,  calls
    ftpdownload to retrieve an updated version of itself.  ftpdownload
    contains a security vulnerability, and update_signature contains a
    self-destruct mechanism.

    1. Insecure temporary files.
    ============================
    ftpdownload contains the following lines:

        wlog=/tmp/ftpdownload.log
        ...
          $CAIGLBL0000/ino/bin/wget $URL -O $LOCAL_FN > $wlog 2>&1

    Because the temporary file /tmp/ftpdownload.log has a  well-known,
    non-random name  and is  created in  a public  /tmp directory, any
    user  can  create  a  symbolic  link  from /tmp/ftpdownload.tmp to
    another file  on the  system, and  that file  will be overwritten.
    This requires two preconditions:

        a) $CAIGLBL0000/ino/bin/wget must exist, otherwise wget is not run.
        b) ftpdownload is run as root

    If  these  preconditions  are  met,  and /tmp/ftpdownload.log is a
    symbolic  link  to,  say,  /etc/passwd,  then  that  file  will be
    overwritten  next  time  ftpdownload  is  run.   This  may  happen
    automatically,  since  the  README  file  gives  instructions  for
    installing it as a cron job which executes automatically every day
    at 1am.   The result is  at least a  denial of service,  and quite
    possibly a root compromise if you overwrite the correct file.

    Please note that the advisory  contains a small mistake.   We have
    discovered  that  it  is  not  possible, as previously thought, to
    overwrite any  file on  the system  with arbitrary  contents, only
    with the contents of an FTP download or error message.  We believe
    that this  mitigates the  risk of  exploitation, but  we could  be
    wrong.

    2. Self-Destruct in update_signature.
    =====================================
    update_signature helpfully renames  the current InoculateIT  files
    with a .prev extension before  downloading an update, in case  the
    updated files are corrupt or do not work for some reason.  However
    in  the  event  of  a  download  failure,  the .prev files are not
    restored to  their original  named.   The virus  scanner will then
    refuse  to  run  unless  these  files  are  renamed  manually,  or
    update_singature.prev is run manually to download a new copy.

    An  automatic  update  might  fail  for  a  number of reasons, for
    example if the user's Internet connection has failed, is busy,  or
    is under a  denial-of-service attack, or  if CA's server  crashed,
    was cracked, or was under heavy load (e.g. around 1am).

SOLUTION

    The solution is to  modify the script to  store the log file  in a
    secure temp directory, for example:

        wlog=$LOCAL_FN.log

    The solution for second problem is to change this code:

        else
            echo "Error $? during tar extract"
            exit 16
        fi

    to:

        else
            echo "Error $? during tar extract"
            for i in inocucmd virsig.dat README.txt update_signature ftpdownload $id_file; do
                    mv -f $i.prev $i
            done
            exit 16
        fi