Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 09 May 2015 20:10:29 -0400
From: Kash Pande <kash@...pleback.net>
To: oss-security@...ts.openwall.com
Subject: CVE for Jentu

Hello,


Jentu is an iSCSI diskless management suite that uses a web-hosted
interface for managing ZFS servers - I am the one developer who wrote
all of its code.. *hangs head*

Though the web panel is proprietary/closed-source, the client source is
open and widely distributed.

There are multiple vulnerabilities:

* Client servers do not do certificate validation against the Jentu server

* The web UI connection to the client server is restricted to only allow
"localhost" to connect, however, forged packets will allow an attacker
to execute arbitrary code as the www-data user on Linux (or www user on
FreeBSD). Because lighttpd is operating with sudo access to your entire
ZFS pool, the amount of damage that can be caused is huge.

* Jentu uses ZFS on Linux that currently lacks a working "zfs allow"
security interface, requiring lighttpd to have root access to certain
ZFS binaries with little (if any) command sanitization.

* DNS rebinding attacks are possible against the client server, causing
DoS or even privilege escalation when combined with local iSCSI station
exploits: As the user browses to http://hackedsite.com which requests an
AJAX call to http://defaultgateway/clone.php?mac=00-11-22-33-44-55 where
00-11-22-33-44-55 is the MAC of the victim machine.

* The local iSCSI server, iscsitarget (iet) runs in "permissive" mode
that allows any one of the iSCSI systems on the network to connect to
and manipulate any other iSCSI target for unrelated systems. This is the
biggest one of the bunch, as Jentu is being sold to users as THE secure
platform (aside from just unplugging your systems).



There were potential fixes for all of these issues but they were not
implemented because of development time and backwards compatibility
problems with pre-existing client networks. So this platform remains
vulnerable. I feel there should be CVE to use for tracking these issues.



-- 

Kash Pande

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.