Date: Tue, 25 Apr 2000 10:21:26 -0700
From: Aleph One <[email protected]>
To: [email protected]Subject: ISS Security Advisory: Backdoor Password in Red Hat Linux Virtual Server Package
-----BEGIN PGP SIGNED MESSAGE-----
ISS Security Advisory
April 24, 2000
Backdoor Password in Red Hat Linux Virtual Server Package
Synopsis:
Internet Security Systems (ISS) X-Force has identified a backdoor password
in the Red Hat Linux Piranha product. Piranha is a package distributed by
Red Hat, Inc. that contains the Linux Virtual Server (LVS) software, a
web-based GUI, and monitoring and fail-over components. A backdoor password
exists in the GUI portion of Piranha that may allow remote attackers to
execute commands on the server. If an affected version of Piranha is
installed and the default backdoor password remains unchanged, any remote as
well as local user may login to the LVS web interface. From here LVS
parameters can be changed and arbitrary commands can be executed with the
same privilege as that of the web server.
Impact:
With this backdoor password, an attacker could compromise the web server as
well as deface and destroy the web site.
Affected Versions:
Piranha is distributed in three Red Hat Package Managers (RPMs): "piranha",
"piranha-gui", and "piranha-docs". The vulnerability is present if version
0.4.12 of piranha-gui is installed.
The current distribution of Red Hat Linux 6.2 distribution is vulnerable.
Earlier versions of the Red Hat distribution do not contain this
vulnerability.
Description:
Piranha is a collection of utilities used to administer the Linux Virtual
Server. LVS is a scalable and highly available server designed for large
enterprise environments. It allows seamless clustering of multiple web
servers through load balancing, heartbeat monitoring, redundancy, and
fail-over protection. To the end user, the entire system is completely
transparent, appearing as if a single server is fielding every request.
Piranha is shipped with a web-based GUI that allows system administrators to
configure and monitor the cluster. The Piranha package contains an
undocumented backdoor account and password that may allow a remote attacker
access to the LVS web administration tools. Attackers could use these tools
to cause the interface to execute arbitrary commands against the server.
Commands are executed with the same privilege level of the web server, which
varies based on the configuration of the system.
The vulnerability is present even if the LVS service is not used on the
system. If the affected "piranha-gui" package is installed and the password
has not been changed by the administrator, the system is vulnerable.
Recommendations:
Red Hat has provided updated piranha, piranha-doc, and piranha-gui packages
0.4.13-1. ISS X-Force recommends that these patches be installed
immediately. The updated piranha-gui package addresses the password and
arbitrary command execution vulnerability. After upgrading to piranha
0.4.13-1 users should ensure that a password is set by logging into the
piranha web gui and setting one.
The updated packages are available on ftp://updates.redhat.com/6.2, and
their version number is 0.4.13-1.
The file names and MD5 sums for the new packages are as follows:
ece87b0ed6f01a87b954b980c115aec0 SRPMS/piranha-0.4.13-1.src.rpm
985ff7d09172f4bfcc17c8044bee7fe8 alpha/piranha-0.4.13-1.alpha.rpm
9804348b4dc73ab82a7624c404afb930 alpha/piranha-docs-0.4.13-1.alpha.rpm
c1e536a9d14422115a89d2d56bf93926 alpha/piranha-gui-0.4.13-1.alpha.rpm
f2db6f165f21f93e9b724a94cd3fc595 i386/piranha-0.4.13-1.i386.rpm
bd54eb595f2a535e52486e799715ce00 i386/piranha-docs-0.4.13-1.i386.rpm
ad9fb552616a221db26b92b668211a30 i386/piranha-gui-0.4.13-1.i386.rpm
b9cb5cddd6e0cd99fc47eb56a06319a0 sparc/piranha-0.4.13-1.sparc.rpm
98313aa873dffe9c0520e3ad4862f2f5 sparc/piranha-docs-0.4.13-1.sparc.rpm
06cdba77a7f128e48a7c3d15c0cf9bcc sparc/piranha-gui-0.4.13-1.sparc.rpm
The ISS X-Force is updating the ISS Internet Scanner security assessment
software to detect this vulnerability in the upcoming X-Press Update 3.6.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2000-0248 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes names for security problems.
Credits:
This vulnerability was discovered and researched by Allen Wilson of Internet
Security Systems and ISS X-Force. ISS would like to thank Red Hat for their
response and handling of this vulnerability.
_______
About Internet Security Systems (ISS)
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite (tm) security software,
industry-leading ePatrol (tm) managed security services, and strategic
consulting and education services, ISS is a trusted security provider to its
customers, protecting digital assets and ensuring the availability,
confidentiality and integrity of computer systems and information critical
to e-business success. ISS' lifecycle e-business security management
solutions protect more than 5,000 customers including 21 of the 25 largest
U.S. commercial banks, 9 of the 10 largest telecommunications companies and
over 35 government agencies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and the
Middle East. For more information, visit the ISS Web site at www.iss.net or
call 888-901-7477.
Copyright (c) 2000 Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail [email protected]
for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force ([email protected])
of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBOQSVPjRfJiV99eG9AQHtqAP8DO4M1APQGqQGwe4gtvjHQ3iQRzyF4b9w
wpYZLhThrm4UpiZA7cMcCHgKB6KjPo/iga5KrzOdQkM+bp3QjRT+ffcR7DDSNT6h
oT5/4CzLyPXPpYlE031cX5SuVA4i675erdw3jHlxR9j6SAekP7t+og2rzj5SMTsp
N11n2IXha48=
=4SQI
-----END PGP SIGNATURE-----