Date: Sat, 09 May 2015 20:10:29 -0400 From: Kash Pande <kash@...pleback.net> To: oss-security@...ts.openwall.com Subject: CVE for Jentu Hello, Jentu is an iSCSI diskless management suite that uses a web-hosted interface for managing ZFS servers - I am the one developer who wrote all of its code.. *hangs head* Though the web panel is proprietary/closed-source, the client source is open and widely distributed. There are multiple vulnerabilities: * Client servers do not do certificate validation against the Jentu server * The web UI connection to the client server is restricted to only allow "localhost" to connect, however, forged packets will allow an attacker to execute arbitrary code as the www-data user on Linux (or www user on FreeBSD). Because lighttpd is operating with sudo access to your entire ZFS pool, the amount of damage that can be caused is huge. * Jentu uses ZFS on Linux that currently lacks a working "zfs allow" security interface, requiring lighttpd to have root access to certain ZFS binaries with little (if any) command sanitization. * DNS rebinding attacks are possible against the client server, causing DoS or even privilege escalation when combined with local iSCSI station exploits: As the user browses to http://hackedsite.com which requests an AJAX call to http://defaultgateway/clone.php?mac=00-11-22-33-44-55 where 00-11-22-33-44-55 is the MAC of the victim machine. * The local iSCSI server, iscsitarget (iet) runs in "permissive" mode that allows any one of the iSCSI systems on the network to connect to and manipulate any other iSCSI target for unrelated systems. This is the biggest one of the bunch, as Jentu is being sold to users as THE secure platform (aside from just unplugging your systems). There were potential fixes for all of these issues but they were not implemented because of development time and backwards compatibility problems with pre-existing client networks. So this platform remains vulnerable. I feel there should be CVE to use for tracking these issues. -- Kash Pande
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ