> -----BEGIN PGP SIGNED MESSAGE-----
>
> ISS Security Advisory
> April 24, 2000
>
> Backdoor Password in Red Hat Linux Virtual Server Package
>
> Synopsis:
>
> Internet Security Systems (ISS) X-Force has identified a backdoor password
> in the Red Hat Linux Piranha product. Piranha is a package distributed by
> Red Hat, Inc. that contains the Linux Virtual Server (LVS) software, a
> web-based GUI, and monitoring and fail-over components. A backdoor password
> exists in the GUI portion of Piranha that may allow remote attackers to
> execute commands on the server. If an affected version of Piranha is
> installed and the default backdoor password remains unchanged, any remote as
> well as local user may login to the LVS web interface. From here LVS
> parameters can be changed and arbitrary commands can be executed with the
> same privilege as that of the web server.
>
> Impact:
>
> With this backdoor password, an attacker could compromise the web server as
> well as deface and destroy the web site.
>
> Affected Versions:
>
> Piranha is distributed in three Red Hat Package Managers (RPMs): "piranha",
> "piranha-gui", and "piranha-docs". The vulnerability is present if version
> 0.4.12 of piranha-gui is installed.
>
> The current distribution of Red Hat Linux 6.2 distribution is vulnerable.
> Earlier versions of the Red Hat distribution do not contain this
> vulnerability.
>
> Description:
>
> Piranha is a collection of utilities used to administer the Linux Virtual
> Server. LVS is a scalable and highly available server designed for large
> enterprise environments. It allows seamless clustering of multiple web
> servers through load balancing, heartbeat monitoring, redundancy, and
> fail-over protection. To the end user, the entire system is completely
> transparent, appearing as if a single server is fielding every request.
>
> Piranha is shipped with a web-based GUI that allows system administrators to
> configure and monitor the cluster. The Piranha package contains an
> undocumented backdoor account and password that may allow a remote attacker
> access to the LVS web administration tools. Attackers could use these tools
> to cause the interface to execute arbitrary commands against the server.
> Commands are executed with the same privilege level of the web server, which
> varies based on the configuration of the system.
>
> The vulnerability is present even if the LVS service is not used on the
> system. If the affected "piranha-gui" package is installed and the password
> has not been changed by the administrator, the system is vulnerable.
>
> Recommendations:
>
> Red Hat has provided updated piranha, piranha-doc, and piranha-gui packages
> 0.4.13-1. ISS X-Force recommends that these patches be installed
> immediately. The updated piranha-gui package addresses the password and
> arbitrary command execution vulnerability. After upgrading to piranha
> 0.4.13-1 users should ensure that a password is set by logging into the
> piranha web gui and setting one.
>
> The updated packages are available on ftp://updates.redhat.com/6.2, and
> their version number is 0.4.13-1.
>
> The file names and MD5 sums for the new packages are as follows:
>
> ece87b0ed6f01a87b954b980c115aec0 SRPMS/piranha-0.4.13-1.src.rpm
> 985ff7d09172f4bfcc17c8044bee7fe8 alpha/piranha-0.4.13-1.alpha.rpm
> 9804348b4dc73ab82a7624c404afb930 alpha/piranha-docs-0.4.13-1.alpha.rpm
> c1e536a9d14422115a89d2d56bf93926 alpha/piranha-gui-0.4.13-1.alpha.rpm
> f2db6f165f21f93e9b724a94cd3fc595 i386/piranha-0.4.13-1.i386.rpm
> bd54eb595f2a535e52486e799715ce00 i386/piranha-docs-0.4.13-1.i386.rpm
> ad9fb552616a221db26b92b668211a30 i386/piranha-gui-0.4.13-1.i386.rpm
> b9cb5cddd6e0cd99fc47eb56a06319a0 sparc/piranha-0.4.13-1.sparc.rpm
> 98313aa873dffe9c0520e3ad4862f2f5 sparc/piranha-docs-0.4.13-1.sparc.rpm
> 06cdba77a7f128e48a7c3d15c0cf9bcc sparc/piranha-gui-0.4.13-1.sparc.rpm
>
> The ISS X-Force is updating the ISS Internet Scanner security assessment
> software to detect this vulnerability in the upcoming X-Press Update 3.6.
>
> Additional Information:
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the name
> CAN-2000-0248 to this issue. This is a candidate for inclusion in the CVE
> list (http://cve.mitre.org), which standardizes names for security problems.
>
> Credits:
>
> This vulnerability was discovered and researched by Allen Wilson of Internet
> Security Systems and ISS X-Force. ISS would like to thank Red Hat for their
> response and handling of this vulnerability.
>
> _______
>
> About Internet Security Systems (ISS)
>
> ISS is a leading global provider of security management solutions for
> e-business. By offering best-of-breed SAFEsuite (tm) security software,
> industry-leading ePatrol (tm) managed security services, and strategic
> consulting and education services, ISS is a trusted security provider to its
> customers, protecting digital assets and ensuring the availability,
> confidentiality and integrity of computer systems and information critical
> to e-business success. ISS' lifecycle e-business security management
> solutions protect more than 5,000 customers including 21 of the 25 largest
> U.S. commercial banks, 9 of the 10 largest telecommunications companies and
> over 35 government agencies. Founded in 1994, ISS is headquartered in
> Atlanta, GA, with additional offices throughout North America and
> international operations in Asia, Australia, Europe, Latin America and the
> Middle East. For more information, visit the ISS Web site at www.iss.net or
> call 888-901-7477.
>
> Copyright (c) 2000 Internet Security Systems, Inc.
>
> Permission is hereby granted for the redistribution of this Alert
> electronically. It is not to be edited in any way without express consent of
> the X-Force. If you wish to reprint the whole or any part of this Alert in
> any other medium excluding electronic medium, please e-mail xforce@xxxxxxx
> for permission.
>
> Disclaimer
>
> The information within this paper may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition. There are
> NO warranties with regard to this information. In no event shall the author
> be liable for any damages whatsoever arising out of or in connection with
> the use or spread of this information. Any use of this information is at the
> user's own risk.
>
> X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
> as on MIT's PGP key server and PGP.com's key server.
>
> Please send suggestions, updates, and comments to: X-Force (xforce@xxxxxxx)
> of Internet Security Systems, Inc.
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3a
> Charset: noconv
>
> iQCVAwUBOQSVPjRfJiV99eG9AQHtqAP8DO4M1APQGqQGwe4gtvjHQ3iQRzyF4b9w
> wpYZLhThrm4UpiZA7cMcCHgKB6KjPo/iga5KrzOdQkM+bp3QjRT+ffcR7DDSNT6h
> oT5/4CzLyPXPpYlE031cX5SuVA4i675erdw3jHlxR9j6SAekP7t+og2rzj5SMTsp
> N11n2IXha48=
> =4SQI
> -----END PGP SIGNATURE-----
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|