Re: [VulnWatch] iDEFENSE Security Advisory: iSCSI Default Configuration File Settings

From: Mike Caudill (mcaudill@cisco.com)
Date: 08/09/02


Date: Thu, 8 Aug 2002 18:14:25 -0400
From: Mike Caudill <mcaudill@cisco.com>
To: David Endler <dendler@idefense.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Cisco PSIRT would like clarify the issue raised in the following
iDEFENSE Security Advisory.

The installation script for the linux-iscsi drivers on Cisco's worldwide
web site (http://www.cisco.com/) and the corresponding mirrored distributions
on SourceForge (http://sourceforge.net/) installs the /etc/iscsi.conf file
with mode 0600 (read/write only by the file owner which is set to the root
user). Therefore, installations of linux-iscsi installed from a distribution
downloaded from Cisco or SourceForge are not vulnerable. Other Linux
distributors may repackage the iSCSI drivers setting the file permissions
appropriately for their own distribution.

Since the /etc/iscsi.conf file contains CHAP passwords, this file should
not be readable or writable by anyone other than the root user. If you
are running a version of the linux-iscsi drivers from another vendor, you
should both inspect the permissions on the /etc/iscsi.conf file and patch
your systems when those vendors issue their respective patches for the issue.

Also, let me take this opportunity to remind folks that vulnerabilities
within any Cisco product should be reported directly to "psirt@cisco.com"
or "security-alert@cisco.com". At the very least we can assist with the
verification of the vulnerability.
 
- -Mike-

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBPVLsHZPS/wbyNnWcEQJ53gCfY9MIBnFXDk6yVbpMVMSv3oVr6FIAn0Dc
y3DuunME0m7s2pChKiTDvJzW
=7o1f
-----END PGP SIGNATURE-----

> David Endler <dendler@idefense.com> [2002-08-08 10:30] wrote:
> iDEFENSE Security Advisory 08.08.2002
> iSCSI Default Configuration File Settings
>
>
> DESCRIPTION
>
> iSCSI is a popular new protocol that allows the SCSI protocol
> to be used over traditional IP networks. This allows for SAN
> like storage arrays without requiring new network
> infrastructure. iSCSI’s primary authentication mechanism for
> users is the CHAP protocol (Challenge Handshake Authentication
> Protocol), which is very resilient against replay attacks and
> provides strong protection for the user’s password. The CHAP
> protocol requires the user’s password to connect, and in order
> to automate this process the user must provide the cleartext
> password to the system that is then stored, typically in
> cleartext, so that it will be accessible when needed. Care
> must be taken to ensure configuration files containing the
> cleartext password are properly protected. For more
> information on the CHAP protocol please see RFC 1994.
>
> The primary iSCSI implementation for Linux, “Linux-iSCSI” is a
> freely available software package primarily maintained by
> Cisco Systems. This package stores it primary configuration
> directives in the file:
>
> /etc/iscsi.conf
>
> This file is created world writeable by default and no mention
> is made in the file of the importance of protecting it from
> being read by attackers. At least one vendor has shipped this
> file world readable in the default configuration of a beta
> release of an operating system, when notified they stated it
> would be fixed in the release version of the operating system.
>
> ANALYSIS
>
> Any authentication systems that require cleartext passwords to
> be stored should be carefully audited to ensure that passwords
> are properly protected. This problem can also potentially
> affect numerous packages, ranging from NTP and BIND to iSCSI
> all of which require stored passwords or secrets.
>
> DETECTION
>
> Check the permissions on the file:
>
> /etc/iscsi.conf
>
> The file should be owned by the user and group root, and only
> the root user should be granted read and write access to the
> file, all other permissions should be removed (i.e. file
> permissions should be 0400)
>
> VENDOR RESPONSE
>
> Red Hat has confirmed that the file /etc/iscsi.conf was set
> world readable in the Limbo Beta, and that it will be fixed in
> the next release version of Red Hat Linux. SuSE has confirmed
> that the file permissions are set correctly on
> /etc/iscsi.conf. No other major Linux vendors appear to be
> shipping the iSCSI package yet.
>
> DISCOVERY CREDIT
>
> Kurt Seifried (kurt@seifried.org)
>
> DISCLOSURE TIMELINE
>
> July 11, 2002: Problem found on Red Hat Linux Limbo Beta #1
> Initial contacts sent to Red Hat, SuSE and Cisco
>
> July 12, 2002: SuSE confirms file mode 600 by default, not
> vulnerable
> Email sent to Matthew Franz at Cisco, additional Cisco
> employees also contacted, iSCSI for Linux is an external
> project at Cisco, PSIRT was not used, no response ever
> received.
>
> July 17, 2002: iDEFENSE client disclosure
>
> July 29, 20022: Problem confirmed in Red Hat Limbo Beta #2,
> Red Hat contacted again, no response received.
>
> August 6, 2002: No update of Linux iSCSI, nor mention of
> problem on website.
>
> August 8, 2002: Public Advisory
>
>
> http://www.idefense.com/contributor.html
>
> David Endler, CISSP
> Director, Technical Intelligence
> iDEFENSE, Inc.
> 14151 Newbrook Drive
> Suite 100
> Chantilly, VA 20151
> voice: 703-344-2632
> fax: 703-961-1071
>
> dendler@idefense.com
> www.idefense.com
>
>
>
>
>
> [ ----- End of Included Message ----- ]

-- 
----------------------------------------------------------------------------
|      ||        ||       | Mike Caudill              | mcaudill@cisco.com |
|      ||        ||       | PSIRT Incident Manager    | 919.392.2855       |
|     ||||      ||||      | DSS PGP: 0xEBBD5271       | 919.522.4931 (cell)|
| ..:||||||:..:||||||:..  | RSA PGP: 0xF482F607       ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt                  |
----------------------------------------------------------------------------



Relevant Pages