SETUID bit set in OMNIRESOLVE

Product HPE Data Protector
Severity Medium
CVE Reference CVE-2017-5809
Type Arbitrary File Read

Description

The OMNIRESOLVE executable component of HPE Data Protector is installed by default with the SETUID bit set, and is owned by the root user. The executable does not check that the provided input files are valid, and logs verbose errors containing the file contents, and so it can be used to read files which the user does not have permission to access.

Impact

This issue can be exploited by a local user to access sensitive files on the host, including password hashes and SSH keys, which could be used to elevate privileges and compromise other accounts.

Cause

The SETUID bit is set by default on the OMNIRESOLVE executable, and the file is owned by the root user. The OMNIRESOLVE application is therefore able to read any file on the filesystem. As the program outputs the contents of its configuration file to the terminal if the configuration is found to be invalid, it is possible to read any arbitrary file by passing it to OMNIRESOLVE as the configuration file.

Solution

A software update for HPE Data Protector is available from the vendor. HPE Data Protector should be updated to at least version 8.17 or 9.09 to resolve this issue.

Detailed Timeline

Date Summary
02/12/2016 Issue reported to vendor.
13/01/2017 Issue confirmed by vendor.
02/08/2017 Vendor confirms fixes for versions 8.x and 9.x are available.