Difference between revisions of "EGI CSIRT:Alerts/intel-28-06-2010"
Jump to navigation Jump to search
|Line 48:||Line 48:|
Revision as of 13:51, 21 July 2010
EGI CSIRT ADVISORY [EGI-ADV-20100628] Title: Moderate Impact Vulnerability In Intel Compiler Suite Date: June 28th 2010 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/intel-28-06-2010 Summary A vulnerability caused by bad file permissions has been identified in products belonging to the Intel compiler suite. The vulnerability can be used by local attackers to compromise other users' accounts. This advisory is based on publically available information and investigations performed by the EGI Security Vulnerability Group and the EGI CSIRT. Details During the installation of the Intel Math Kernel Library (MKL - http://software.intel.com/en-us/intel-mkl/) several files are installed world-writable, including configuration files that are intended to be sourced by all users of the MKL libraries. This makes it trivial for a local attacker to compromise the accounts of other users. It appears that these issues were quietly corrected in December 2009. However, MKL components are included in several different products in the Intel compiler suite, which makes it hard to say exactly which versions are affected. At the time of writing, no advisory about the issue is available from Intel. Recommended Actions This vulnerability can easily be corrected by searching for world-writable files in the Intel installation directory tree, e.g. with find /opt/intel/ -type f -perm -o=w -ls and fixing the permissions with find /opt/intel/ -type f -perm -o=w -print0 | xargs -0 chmod go-w (please replace "/opt/intel" with any site-specific installation directory).
UPDATE1: Vulnerability In Intel Compiler Suite [EGI-ADV-20100628]