Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Full Disclosure>
  3. Full-Disclosure
iDEFENSE Security Advisory: iSCSI Default Configuration File Settings
dendler at idefense
Aug 8, 2002, 1:27 AM
Post #1 of 2 (814 views)
Permalink
iDEFENSE Security Advisory 08.08.2002
iSCSI Default Configuration File Settings


DESCRIPTION

iSCSI is a popular new protocol that allows the SCSI protocol
to be used over traditional IP networks. This allows for SAN
like storage arrays without requiring new network
infrastructure. iSCSI’s primary authentication mechanism for
users is the CHAP protocol (Challenge Handshake Authentication
Protocol), which is very resilient against replay attacks and
provides strong protection for the user’s password. The CHAP
protocol requires the user’s password to connect, and in order
to automate this process the user must provide the cleartext
password to the system that is then stored, typically in
cleartext, so that it will be accessible when needed. Care
must be taken to ensure configuration files containing the
cleartext password are properly protected. For more
information on the CHAP protocol please see RFC 1994.

The primary iSCSI implementation for Linux, “Linux-iSCSI” is a
freely available software package primarily maintained by
Cisco Systems. This package stores it primary configuration
directives in the file:

/etc/iscsi.conf

This file is created world writeable by default and no mention
is made in the file of the importance of protecting it from
being read by attackers. At least one vendor has shipped this
file world readable in the default configuration of a beta
release of an operating system, when notified they stated it
would be fixed in the release version of the operating system.

ANALYSIS

Any authentication systems that require cleartext passwords to
be stored should be carefully audited to ensure that passwords
are properly protected. This problem can also potentially
affect numerous packages, ranging from NTP and BIND to iSCSI
all of which require stored passwords or secrets.

DETECTION

Check the permissions on the file:

/etc/iscsi.conf

The file should be owned by the user and group root, and only
the root user should be granted read and write access to the
file, all other permissions should be removed (i.e. file
permissions should be 0400)

VENDOR RESPONSE

Red Hat has confirmed that the file /etc/iscsi.conf was set
world readable in the Limbo Beta, and that it will be fixed in
the next release version of Red Hat Linux. SuSE has confirmed
that the file permissions are set correctly on
/etc/iscsi.conf. No other major Linux vendors appear to be
shipping the iSCSI package yet.

DISCOVERY CREDIT

Kurt Seifried (kurt@seifried.org)

DISCLOSURE TIMELINE

July 11, 2002: Problem found on Red Hat Linux Limbo Beta #1
Initial contacts sent to Red Hat, SuSE and Cisco

July 12, 2002: SuSE confirms file mode 600 by default, not
vulnerable
Email sent to Matthew Franz at Cisco, additional Cisco
employees also contacted, iSCSI for Linux is an external
project at Cisco, PSIRT was not used, no response ever
received.

July 17, 2002: iDEFENSE client disclosure

July 29, 20022: Problem confirmed in Red Hat Limbo Beta #2,
Red Hat contacted again, no response received.

August 6, 2002: No update of Linux iSCSI, nor mention of
problem on website.

August 8, 2002: Public Advisory


http://www.idefense.com/contributor.html

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@idefense.com
www.idefense.com
Re: [VulnWatch] iDEFENSE Security Advisory: iSCSI Default Configuration File Settings [ In reply to ]
mcaudill at cisco
Aug 8, 2002, 3:14 PM
Post #2 of 2 (799 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The Cisco PSIRT would like clarify the issue raised in the following
iDEFENSE Security Advisory.

The installation script for the linux-iscsi drivers on Cisco's worldwide
web site (http://www.cisco.com/) and the corresponding mirrored distributions
on SourceForge (http://sourceforge.net/) installs the /etc/iscsi.conf file
with mode 0600 (read/write only by the file owner which is set to the root
user). Therefore, installations of linux-iscsi installed from a distribution
downloaded from Cisco or SourceForge are not vulnerable. Other Linux
distributors may repackage the iSCSI drivers setting the file permissions
appropriately for their own distribution.

Since the /etc/iscsi.conf file contains CHAP passwords, this file should
not be readable or writable by anyone other than the root user. If you
are running a version of the linux-iscsi drivers from another vendor, you
should both inspect the permissions on the /etc/iscsi.conf file and patch
your systems when those vendors issue their respective patches for the issue.

Also, let me take this opportunity to remind folks that vulnerabilities
within any Cisco product should be reported directly to "psirt@cisco.com"
or "security-alert@cisco.com". At the very least we can assist with the
verification of the vulnerability.

- -Mike-


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBPVLsHZPS/wbyNnWcEQJ53gCfY9MIBnFXDk6yVbpMVMSv3oVr6FIAn0Dc
y3DuunME0m7s2pChKiTDvJzW
=7o1f
-----END PGP SIGNATURE-----



> David Endler <dendler@idefense.com> [2002-08-08 10:30] wrote:
> iDEFENSE Security Advisory 08.08.2002
> iSCSI Default Configuration File Settings
>
>
> DESCRIPTION
>
> iSCSI is a popular new protocol that allows the SCSI protocol
> to be used over traditional IP networks. This allows for SAN
> like storage arrays without requiring new network
> infrastructure. iSCSI’s primary authentication mechanism for
> users is the CHAP protocol (Challenge Handshake Authentication
> Protocol), which is very resilient against replay attacks and
> provides strong protection for the user’s password. The CHAP
> protocol requires the user’s password to connect, and in order
> to automate this process the user must provide the cleartext
> password to the system that is then stored, typically in
> cleartext, so that it will be accessible when needed. Care
> must be taken to ensure configuration files containing the
> cleartext password are properly protected. For more
> information on the CHAP protocol please see RFC 1994.
>
> The primary iSCSI implementation for Linux, “Linux-iSCSI” is a
> freely available software package primarily maintained by
> Cisco Systems. This package stores it primary configuration
> directives in the file:
>
> /etc/iscsi.conf
>
> This file is created world writeable by default and no mention
> is made in the file of the importance of protecting it from
> being read by attackers. At least one vendor has shipped this
> file world readable in the default configuration of a beta
> release of an operating system, when notified they stated it
> would be fixed in the release version of the operating system.
>
> ANALYSIS
>
> Any authentication systems that require cleartext passwords to
> be stored should be carefully audited to ensure that passwords
> are properly protected. This problem can also potentially
> affect numerous packages, ranging from NTP and BIND to iSCSI
> all of which require stored passwords or secrets.
>
> DETECTION
>
> Check the permissions on the file:
>
> /etc/iscsi.conf
>
> The file should be owned by the user and group root, and only
> the root user should be granted read and write access to the
> file, all other permissions should be removed (i.e. file
> permissions should be 0400)
>
> VENDOR RESPONSE
>
> Red Hat has confirmed that the file /etc/iscsi.conf was set
> world readable in the Limbo Beta, and that it will be fixed in
> the next release version of Red Hat Linux. SuSE has confirmed
> that the file permissions are set correctly on
> /etc/iscsi.conf. No other major Linux vendors appear to be
> shipping the iSCSI package yet.
>
> DISCOVERY CREDIT
>
> Kurt Seifried (kurt@seifried.org)
>
> DISCLOSURE TIMELINE
>
> July 11, 2002: Problem found on Red Hat Linux Limbo Beta #1
> Initial contacts sent to Red Hat, SuSE and Cisco
>
> July 12, 2002: SuSE confirms file mode 600 by default, not
> vulnerable
> Email sent to Matthew Franz at Cisco, additional Cisco
> employees also contacted, iSCSI for Linux is an external
> project at Cisco, PSIRT was not used, no response ever
> received.
>
> July 17, 2002: iDEFENSE client disclosure
>
> July 29, 20022: Problem confirmed in Red Hat Limbo Beta #2,
> Red Hat contacted again, no response received.
>
> August 6, 2002: No update of Linux iSCSI, nor mention of
> problem on website.
>
> August 8, 2002: Public Advisory
>
>
> http://www.idefense.com/contributor.html
>
> David Endler, CISSP
> Director, Technical Intelligence
> iDEFENSE, Inc.
> 14151 Newbrook Drive
> Suite 100
> Chantilly, VA 20151
> voice: 703-344-2632
> fax: 703-961-1071
>
> dendler@idefense.com
> www.idefense.com
>
>
>
>
>
> [ ----- End of Included Message ----- ]

--
----------------------------------------------------------------------------
| || || | Mike Caudill | mcaudill@cisco.com |
| || || | PSIRT Incident Manager | 919.392.2855 |
| |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)|
| ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt |
----------------------------------------------------------------------------

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal