Full Disclosure mailing list archives
Re: [VulnWatch] iDEFENSE Security Advisory: iSCSI Default Configuration File Settings
From: full-disclosure () lists netsys com (Mike Caudill)
Date: Thu, 8 Aug 2002 18:14:25 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Cisco PSIRT would like clarify the issue raised in the following iDEFENSE Security Advisory. The installation script for the linux-iscsi drivers on Cisco's worldwide web site (http://www.cisco.com/) and the corresponding mirrored distributions on SourceForge (http://sourceforge.net/) installs the /etc/iscsi.conf file with mode 0600 (read/write only by the file owner which is set to the root user). Therefore, installations of linux-iscsi installed from a distribution downloaded from Cisco or SourceForge are not vulnerable. Other Linux distributors may repackage the iSCSI drivers setting the file permissions appropriately for their own distribution. Since the /etc/iscsi.conf file contains CHAP passwords, this file should not be readable or writable by anyone other than the root user. If you are running a version of the linux-iscsi drivers from another vendor, you should both inspect the permissions on the /etc/iscsi.conf file and patch your systems when those vendors issue their respective patches for the issue. Also, let me take this opportunity to remind folks that vulnerabilities within any Cisco product should be reported directly to "psirt () cisco com" or "security-alert () cisco com". At the very least we can assist with the verification of the vulnerability. - -Mike- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBPVLsHZPS/wbyNnWcEQJ53gCfY9MIBnFXDk6yVbpMVMSv3oVr6FIAn0Dc y3DuunME0m7s2pChKiTDvJzW =7o1f -----END PGP SIGNATURE-----
David Endler <dendler () idefense com> [2002-08-08 10:30] wrote: iDEFENSE Security Advisory 08.08.2002 iSCSI Default Configuration File Settings DESCRIPTION iSCSI is a popular new protocol that allows the SCSI protocol to be used over traditional IP networks. This allows for SAN like storage arrays without requiring new network infrastructure. iSCSIs primary authentication mechanism for users is the CHAP protocol (Challenge Handshake Authentication Protocol), which is very resilient against replay attacks and provides strong protection for the users password. The CHAP protocol requires the users password to connect, and in order to automate this process the user must provide the cleartext password to the system that is then stored, typically in cleartext, so that it will be accessible when needed. Care must be taken to ensure configuration files containing the cleartext password are properly protected. For more information on the CHAP protocol please see RFC 1994. The primary iSCSI implementation for Linux, Linux-iSCSI is a freely available software package primarily maintained by Cisco Systems. This package stores it primary configuration directives in the file: /etc/iscsi.conf This file is created world writeable by default and no mention is made in the file of the importance of protecting it from being read by attackers. At least one vendor has shipped this file world readable in the default configuration of a beta release of an operating system, when notified they stated it would be fixed in the release version of the operating system. ANALYSIS Any authentication systems that require cleartext passwords to be stored should be carefully audited to ensure that passwords are properly protected. This problem can also potentially affect numerous packages, ranging from NTP and BIND to iSCSI all of which require stored passwords or secrets. DETECTION Check the permissions on the file: /etc/iscsi.conf The file should be owned by the user and group root, and only the root user should be granted read and write access to the file, all other permissions should be removed (i.e. file permissions should be 0400) VENDOR RESPONSE Red Hat has confirmed that the file /etc/iscsi.conf was set world readable in the Limbo Beta, and that it will be fixed in the next release version of Red Hat Linux. SuSE has confirmed that the file permissions are set correctly on /etc/iscsi.conf. No other major Linux vendors appear to be shipping the iSCSI package yet. DISCOVERY CREDIT Kurt Seifried (kurt () seifried org) DISCLOSURE TIMELINE July 11, 2002: Problem found on Red Hat Linux Limbo Beta #1 Initial contacts sent to Red Hat, SuSE and Cisco July 12, 2002: SuSE confirms file mode 600 by default, not vulnerable Email sent to Matthew Franz at Cisco, additional Cisco employees also contacted, iSCSI for Linux is an external project at Cisco, PSIRT was not used, no response ever received. July 17, 2002: iDEFENSE client disclosure July 29, 20022: Problem confirmed in Red Hat Limbo Beta #2, Red Hat contacted again, no response received. August 6, 2002: No update of Linux iSCSI, nor mention of problem on website. August 8, 2002: Public Advisory http://www.idefense.com/contributor.html David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler () idefense com www.idefense.com [ ----- End of Included Message ----- ]
-- ---------------------------------------------------------------------------- | || || | Mike Caudill | mcaudill () cisco com | | || || | PSIRT Incident Manager | 919.392.2855 | | |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)| | ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------| | C i s c o S y s t e m s | http://www.cisco.com/go/psirt | ----------------------------------------------------------------------------
Current thread:
- iDEFENSE Security Advisory: iSCSI Default Configuration File Settings David Endler (Aug 08)
- Re: [VulnWatch] iDEFENSE Security Advisory: iSCSI Default Configuration File Settings Mike Caudill (Aug 08)