[UNIX] iSCSI Default Configuration File Settings

From: support@securiteam.com
Date: 08/10/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 10 Aug 2002 22:52:16 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  iSCSI Default Configuration File Settings
------------------------------------------------------------------------

SUMMARY

iSCSI is a popular new protocol that allows the SCSI protocol to be used
over traditional IP networks. This allows for SAN like storage arrays
without requiring new network infrastructure. iSCSI's primary
authentication mechanism for users is the CHAP protocol (Challenge
Handshake Authentication Protocol), which is very resilient against replay
attacks and provides strong protection for the user's password. The CHAP
protocol requires the user's password to connect, and in order to automate
this process the user must provide the clear text password to the system
that is then stored, typically in clear text, so that it will be
accessible when needed. Care must be taken to ensure configuration files
containing the clear text password are properly protected. A vulnerability
in RedHat's implementation of the iSCSI protocol has been found, the
vulnerability will allow easy access to the clear text format of the
password used by the iSCSI system.

DETAILS

The primary iSCSI implementation for Linux, "Linux-iSCSI" is a freely
available software package primarily maintained by Cisco Systems. This
package stores it primary configuration directives in the file:
 /etc/iscsi.conf

This file is created world writeable by default and no mention is made in
the file of the importance of protecting it from being read by attackers.
At least one vendor has shipped this file world readable in the default
configuration of a beta release of an operating system, when notified they
stated it would be fixed in the release version of the operating system.

Analysis:
Any authentication systems that require clear text passwords to be stored
should be carefully audited to ensure that passwords are properly
protected. This problem can also potentially affect numerous packages,
ranging from NTP and BIND to iSCSI all of which require stored passwords
or secrets.

Detection:
Check the permissions on the file:
 /etc/iscsi.conf

The file should be owned by the user and group root, and only the root
user should be granted read and write access to the file, all other
permissions should be removed (i.e. file permissions should be 0400)

Vendor response:
Red Hat has confirmed that the file /etc/iscsi.conf was set world readable
in the Limbo Beta, and that it will be fixed in the next release version
of Red Hat Linux. SuSE has confirmed that the file permissions are set
correctly on /etc/iscsi.conf. No other major Linux vendors appear to be
shipping the iSCSI package yet.

ADDITIONAL INFORMATION

The information has been provided by <mailto:kurt@seifried.org> Kurt
Seifried.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages