73074 2002-08-08 17:34 /108 rader/ David Endler <dendler@idefense.com> Importerad: 2002-08-08 17:34 av Brevbäraren Extern mottagare: vulnwatch@vulnwatch.org Extern mottagare: bugtraq@securityfocus.com Extern mottagare: full-disclosure@lists.netsys.com Extern mottagare: vuln-dev@securityfocus.com Externa svar till: dendler@idefense.com Mottagare: Bugtraq (import) <1013> Ärende: iDEFENSE Security Advisory: iSCSI Default Configuration File Settings ------------------------------------------------------------ iDEFENSE Security Advisory 08.08.2002 iSCSI Default Configuration File Settings DESCRIPTION iSCSI is a popular new protocol that allows the SCSI protocol to be used over traditional IP networks. This allows for SAN like storage arrays without requiring new network infrastructure. iSCSIs primary authentication mechanism for users is the CHAP protocol (Challenge Handshake Authentication Protocol), which is very resilient against replay attacks and provides strong protection for the users password. The CHAP protocol requires the users password to connect, and in order to automate this process the user must provide the cleartext password to the system that is then stored, typically in cleartext, so that it will be accessible when needed. Care must be taken to ensure configuration files containing the cleartext password are properly protected. For more information on the CHAP protocol please see RFC 1994. The primary iSCSI implementation for Linux, Linux-iSCSI is a freely available software package primarily maintained by Cisco Systems. This package stores it primary configuration directives in the file: /etc/iscsi.conf This file is created world writeable by default and no mention is made in the file of the importance of protecting it from being read by attackers. At least one vendor has shipped this file world readable in the default configuration of a beta release of an operating system, when notified they stated it would be fixed in the release version of the operating system. ANALYSIS Any authentication systems that require cleartext passwords to be stored should be carefully audited to ensure that passwords are properly protected. This problem can also potentially affect numerous packages, ranging from NTP and BIND to iSCSI all of which require stored passwords or secrets. DETECTION Check the permissions on the file: /etc/iscsi.conf The file should be owned by the user and group root, and only the root user should be granted read and write access to the file, all other permissions should be removed (i.e. file permissions should be 0400) VENDOR RESPONSE Red Hat has confirmed that the file /etc/iscsi.conf was set world readable in the Limbo Beta, and that it will be fixed in the next release version of Red Hat Linux. SuSE has confirmed that the file permissions are set correctly on /etc/iscsi.conf. No other major Linux vendors appear to be shipping the iSCSI package yet. DISCOVERY CREDIT Kurt Seifried (kurt@seifried.org) DISCLOSURE TIMELINE July 11, 2002: Problem found on Red Hat Linux Limbo Beta #1 Initial contacts sent to Red Hat, SuSE and Cisco July 12, 2002: SuSE confirms file mode 600 by default, not vulnerable Email sent to Matthew Franz at Cisco, additional Cisco employees also contacted, iSCSI for Linux is an external project at Cisco, PSIRT was not used, no response ever received. July 17, 2002: iDEFENSE client disclosure July 29, 20022: Problem confirmed in Red Hat Limbo Beta #2, Red Hat contacted again, no response received. August 6, 2002: No update of Linux iSCSI, nor mention of problem on website. August 8, 2002: Public Advisory http://www.idefense.com/contributor.html David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com (73074) /David Endler <dendler@idefense.com>/-------