Bug in Axent 5.0

[aleph1 () SECURITYFOCUS COM (Aleph One)]

Bug in Axent 5.0 for Unix
Bugtraq ID 518

This information was forwarded to Security Focus.

 Certain checks within Axent's ESM 5.0 for Unix may prevent legitimate
 users from logging on to scanned hosts.

 Specifically, four checks within the security auditing program may cause
 this denial of service:

 * Check PATH using 'su'
 * Check PATH by modifying startup script
 * Check umask using 'su'
 * Check umask by modifying startup script

 These checks are not enabled in the default policy templates.

 When ESM is checking PATH (or umask) values, it will 'su' to the user's
 account. If the user's script calls a menu function, ESM will not respond
 and the check will hang. To overcome this problem, ESM copies the
 startup script to the /tmp directory, adds additional values to the end of
 the script, and copies the script back to the user's directory. The new
 values in the script will echo the PATH and umask values to a file called
 .esmvalues in the user's home directory the next time the user logs in.
 When ESM is run again, it will read the contents of .esmvalues to
 determine the PATH and umask values. This procedure eliminates the
 problems associated with 'su'ing to the account and hanging on a menu
 call.

 Unfortunately, when ESM copies the file to /tmp, file ownership and
 permissions are changed to 'root'. When the file is copied back to the
 user's directory, only root has access - legitimate users will not be
 able to execute their login script.

 This bug should be fixed in the upcoming 5.0.1 release.

--
Elias Levy
Security Focus
http://www.securityfocus.com/