EnGarde Secure Linux Security Advisory: WebTool

+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                    May 29, 2001 |
| http://www.engardelinux.org/                           ESA-20010529-01 |
|                                                                        |
| Package:  WebTool                                                      |
| Summary:  The WebTool does not clean its environment before restarting |
|           services.                                                    |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.

OVERVIEW
- --------
  There is a bug in the Guardian Digital WebTool which shipped with
  EnGarde Secure Linux version 1.0.1.

DETAIL
- ------
  When the WebTool restarts a service, certain environmental variables
  are inherited which should not be, such as the token used to
  authenticate the administrator to the WebTool daemon.  Anybody who can
  view the environment variables of a process can thus get this token,
  and potentially root access.

  This bug is fixed in release 1.0.72 of the 'WebTool' and
  'WebTool-VHost'  packages.  Please note the extra upgrade instructions
  in the SOLUTION section of this advisory.


SOLUTION
- --------
  All users should upgrade, as outlined in this advisory.  All updates
  can be found at:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Before upgrading the package, the machine must be booted into a
  standard kernel or have LIDS disabled.  To disable LIDS execute the
  command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated packages, execute the command:

    # rpm -Uvh   ...

  When the packages are installed, the WebTool will need to be restarted
  by issuing the command:

    # /etc/init.d/webtool restart

  If LIDS was disabled, it should be re-enabled:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signature of the updated packages, execute the command:

    # rpm -Kv 


UPDATED PACKAGES
- ----------------
  NOTE:  The only packages which need to be updated are 'WebTool' and
         'WebTool-VHost'.  No other subpackages were modified while
         fixing these bugs.  If you would like 1.0.72 versions of the
         other packages, you should rebuild the source RPM.  They are
         not listed here nor on the FTP server to avoid any confusion.

  Source Packages:

    SRPMS/WebTool-1.2-1.0.72.src.rpm
      MD5 Sum:  99a2772abbdc7bba1fdcaf51cacc804a

  Binary Packages:

    noarch/WebTool-1.2-1.0.72.noarch.rpm
      MD5 Sum:  60e9c54e02675618cf5faf43a1b01a65

    noarch/WebTool-VHost-1.2-1.0.72.noarch.rpm
      MD5 Sum:  924bdab801f6fbeab64f81629d54a6f9


REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery of this bug goes to:
    J. Nick Koston 

  WebTool's Official Web Site:
    http://www.engardelinux.org/

  BUGTRAQ message disclosing the vulnerability:
    http://www.securityfocus.com/templates/archive.pike?list=1&mid=186988


- ----------------------------------------------------------------------------
$Id: 2001.05.29-WebTool,v 1.1 2001/05/29 21:10:18 rwm Exp $
- ----------------------------------------------------------------------------
Author: Ryan W. Maple,  
Copyright 2001, Guardian Digital, Inc.