[Fwd: [arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue]

From: Maciej Bogucki (maciej.bogucki_at_artegence.com)
Date: 02/23/05

  • Next message: Discini, Sonny: "Office 10 applications & flashdrives can be used to browse restricted drives" 
    Date: Wed, 23 Feb 2005 17:40:50 +0100
To: bugtraq@securityfocus.com

    attached mail follows:

    Date: Tue, 22 Feb 2005 15:48:53 -0800
To: arkeia-userlist@arkeia.com, arkeia-announce@arkeia.com

    Arkeia annouces the release of Arkeia Network Backup 5.3.5.
    This release fixes a buffer overflow bug described in bugtraq id 12594.
    This bug could allow a remote attacker to execute arbitrary code
    remotely, and such get root access to the machine.
    If you are in a trusted private lan environment, you don't need to
    upgrade.
    However, if you are using Arkeia in an untrusted environment, it is
    strongly advised to upgrade to this version.
    The bug is in the arkeiad daemon process. So you have to upgrade all the
    sensitive client machines.
    You can get this new version for all client packages trough our ftp
    site:
    ftp://ftp.arkeia.com/pub/arkeia5.3/arkeia-network-backup

    It is also strongly advised to read the Arkeia User Manual "Appendix B:
    System Security" to secure Arkeia against system-level intrusion.

    Here is the appendix:

    APPENDIX B: System Security
    ---------------------------
    This appendix describes what you need to do to secure Arkeia 5 against
    system-level intrusion. If you are looking for information about data
    security, or how to encrypt the data Arkeia puts onto backup tapes,
    please see these references:
      - Define options for the savepack on page 84;
      - encryption configuration on page 168.

    B.1. Client Security
    --------------------
    To achieve the best security on an Arkeia client computer, you need to
    prevent:
      - the client from being used as a server,
      - access to the client from non-authorized backup servers, and
      - access to configuration files.
    This section explains how to secure an Arkeia client.

    Deny server functions on a client
    ---------------------------------
    Arkeia 5 consists of three main functional packages:
      - backup server,
      - client, and
      - graphical interface.
    To simplify installation, all three packages are installed every time.
    When the installation is on a platform which can be either an Arkeia
    server or client, there is a risk that an intruder who hacks into the
    client computer could turn into a backup server.

    To prevent this you can deny access to the server functions on a client
    computer in the authorization configuration files (auth_ files).
    Auth_ files are named using this convention:
    $ARKEIA_DIR/arkeiad/auth_<PROCESS_NAME>.cfg

    To deny access to a process, change the active line in the authorization
    configuration file from ALLOW to DENY:
    <PROCESS_NAME>.* DENY * *

    For example:
    ARKBKP.* DENY * *

    The server auth_ files to change to DENY are:
      a. auth_ARKBKP (Backup)
      b. auth.ARKDUP (Tape duplication)
      c. auth.ARKLIB (Tape library management)
      d. auth_ARKNAV (Navigation)
      e. auth_ARKRST (Restoration)
      f. auth_ARKTRANS (Transaction)

    Secure access to clients
    ------------------------
    On most networks, it is advisable to deny backup access to clients,
    except from the intended Arkeia server (or servers).
    This is also done in the auth_ files.
    The format to restrict access to a given backup server is:

    <PROCESS_NAME>.* ALLOW <backup_server_FQDN> *

    For example:
    ARKADMIN.* ALLOW mercury.arkeia.com *

    The client auth_ files to change are:
       a. auth_ARKADMIN (Client administration)
       b. auth_ARKFS (client backup, restore, navigation)

    Plug-ins
    --------
    Plug-ins are generally forked by the local client, but it is also
    advisable to restrict access to the local computer.
    The format to limit access is:

    ARKP<PLUGIN>.* ALLOW <local computer FQDN> *

    For example:
    ARKPMYSQL.* ALLOW mercury.arkeia.com *

    Further access limitation
    -------------------------
    You can further tighten client access by requiring a connection on a
    reserved port, and using a root account. The format to limit access is:

    <PROCESS_NAME>.* ALLOW <backup server FQDN>[1] root

    For example:
    ARKADMIN.* ALLOW mercury.arkeia.com[1] root

    Secure configuration files
    --------------------------
    Various Arkeia configuration files contain information such as
    passwords and encryption keys, which should be restricted to prevent
    unauthorized access.
    The best way to do this is to make these files root read-only.
    In a shell, run the following command:

    # chmod 600 <filename>

    The files to restrict are:
      a. $ARKEIA_DIR/arkc/arkc.param
      b. $HOME/.arkc/arkc.param
      c. $ARKEIA_DIR/arkobk.param (RMAN agent installed)
      d. $ARKEIA_DIR/arkeiad/cryptree.ark
      e. $ARKEIA_DIR/arkeiad/admin.cfg
      f. $ARKEIA_DIR/arkeiad/AUTH_*.cfg
      f. $ARKEIA_DIR/arkeiad/PROXY_*.cfg
      h. path-to/<global encryption file>

    B.2 Server Security
    -------------------
    To achieve the best security in an Arkeia Server,
      - restrict access to the Arkeia backup server functions from remote
        computers,
      - reserve sensitive operations such as backup creation for an Arkeia
        Administrator role, leaving daily operations to an Arkeia Operator
        role,
      - secure the server configuration files, and
      - secure by encryption the data stream between the Arkeia server and
        clients.

    Secure access
    -------------
    You are able to manage backups and restores from any computer on the
    network.
    As backup administrator, you would normally do this from the server
    computer, or your own computer, so it is advisable to restrict Arkeia
    backup control to these computers.
    On a Arkeia server, you can control access through the auth_ files, in
    the same way you controlled access to Arkeia clients.
    The format to limit access is:

    <PROCESS_NAME>.* ALLOW <listof allowed hosts> *

    For example:
    ARKADMIN.* ALLOW mercury.arkeia.com|earth.arkeia.com *

    Note that each allowed host FQDN is separated by a "|" (verticle broken
    bar).

    The server process authorization configuration files in which to list
    the authorized hosts are:
      a. auth_ARKBKP (Backup)
      b. auth.ARKDUP (Tape duplication)
      c. auth.ARKLIB (Tape library management)
      d. auth_ARKNAV (Navigation)
      e. auth_ARKRST (Restoration)
      f. auth_ARKTRANS (Transaction)

    Roles
    -----
    Once you have configured Arkeia to work the way you want it to,
    changes to the configuration will be very rare.
    It is advisable to create an account with OPERATOR and USER permissions
    for the daily management of backups and restorations.

    Secure configuration files
    --------------------------
    For the same reasons as client configuration files, server configuration
    files should be restricted to prevent unauthorized access. The best way
    to do this is to make these files root read-only.
    In a shell, run the following command:

    # chmod 600 <filename>

    The files to restrict are:
      a. $ARKEIA_DIR/arkc/arkc.param
      b. $HOME/.arkc/arkc.param
      c. $ARKEIA_DIR/arkobk.param (RMAN agent installed)
      d. $ARKEIA_DIR/arkeiad/cryptree.ark
      e. $ARKEIA_DIR/arkeiad/admin.cfg
      f. $ARKEIA_DIR/arkeiad/AUTH_*.cfg
      f. $ARKEIA_DIR/arkeiad/PROXY_*.cfg
      h. path-to/<global encryption file>
      i. $ARKEIA_DIR/server/dbase/f3sec/*

    Port forwarding
    ---------------
    By default, communications between Arkeia backup server and Arkeia
    backup client is unencrypted.
    You can use SSH to secure the data stream between the server and the
    client. On the server computer, enter this command as root:

    # ssh -g -L 617:<backup_server_hostname>:619 <client_hostname>

    When Arkeia connects to port 617 on a client, the data is forwarded over
    the secure channel to client_hostname, port 619.
    You must change the Arkeia backup client to 619, see Arkeia daemon
    management on page 160 of Arkeia User manual for instructions on how to
    do this.

    For example:
    # ssh -g -L 617:earth.arkeia.com:619 mercury.arkeia.com

    Data will now pass by an encrypted channel between port 61 on the backup
    server earth.arkeia.com and port 619 on the client mercury.arkeia.com

    If you want to apply this setting automatically when the server computer
    is booted, add the above command to the file /etc/ssh/ssh_config 

    -- 
Arnaud Spicht, CTO
Arkeia Corp                                    Arkeia SA
1808 Aston Avenue, Suite 220                   41 rue Delizy
Carlsbad, CA 92008                             93692 Pantin Cedex
USA                                            France
Tel: (760) 431.1319 x2004                      Tel: +33 (0)1 48 10 89 89
Fax: (760) 602.8599                            Fax: +33 (0)1 48 10 89 90
http://www.arkeia.com
________________________________________________________________________
This email message is for the sole use of the intended recipient(s) and
may contain confidential information or information belonging to Arkeia
Corp. The unauthorized disclosure, use, dissemination or copying (either
whole or partial) of this e-mail, or any information it contains, is
prohibited.
If you are not the intended recipient of this e-mail, please delete it
immediately from your system and notify the sender of the wrong delivery
by reply email. Thank you.
___________________________________________________
This read-only mailing-list is used for announcements about Arkeia (new
releases, bug fixes, etc...) If you wish to modify your subscription or if
you want to subscribe to other Arkeia mailing-lists, please, go to:
http://www.arkeia.com/arkeialists.html
____________________________________________________
  • Next message: Discini, Sonny: "Office 10 applications & flashdrives can be used to browse restricted drives"
    • Quantcast