73074 2002-08-08  17:34  /108 rader/ David Endler <dendler@idefense.com>
Importerad: 2002-08-08  17:34  av Brevbäraren
Extern mottagare: vulnwatch@vulnwatch.org
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: full-disclosure@lists.netsys.com
Extern mottagare: vuln-dev@securityfocus.com
Externa svar till: dendler@idefense.com
Mottagare: Bugtraq (import) <1013>
Ärende: iDEFENSE Security Advisory: iSCSI Default Configuration File Settings
------------------------------------------------------------
iDEFENSE Security Advisory 08.08.2002 
iSCSI Default Configuration File Settings


DESCRIPTION 

iSCSI is a popular new protocol that allows the SCSI protocol 
to be used over traditional IP networks. This allows for SAN 
like storage arrays without requiring new network 
infrastructure. iSCSI’s primary authentication mechanism for 
users is the CHAP protocol (Challenge Handshake Authentication 
Protocol), which is very resilient against replay attacks and 
provides strong protection for the user’s password. The CHAP 
protocol requires the user’s password to connect, and in order 
to automate this process the user must provide the cleartext 
password to the system that is then stored, typically in 
cleartext, so that it will be accessible when needed. Care 
must be taken to ensure configuration files containing the 
cleartext password are properly protected.  For more 
information on the CHAP protocol please see RFC 1994. 

The primary iSCSI implementation for Linux, “Linux-iSCSI” is a 
freely available software package primarily maintained by 
Cisco Systems. This package stores it primary configuration 
directives in the file:

/etc/iscsi.conf

This file is created world writeable by default and no mention 
is made in the file of the importance of protecting it from 
being read by attackers. At least one vendor has shipped this 
file world readable in the default configuration of a beta 
release of an operating system, when notified they stated it 
would be fixed in the release version of the operating system.

ANALYSIS

Any authentication systems that require cleartext passwords to 
be stored should be carefully audited to ensure that passwords 
are properly protected. This problem can also potentially 
affect numerous packages, ranging from NTP and BIND to iSCSI 
all of which require stored passwords or secrets. 

DETECTION

Check the permissions on the file:

/etc/iscsi.conf

The file should be owned by the user and group root, and only 
the root user should be granted read and write access to the 
file, all other permissions should be removed (i.e. file 
permissions should be 0400) 

VENDOR RESPONSE

Red Hat has confirmed that the file /etc/iscsi.conf was set 
world readable in the Limbo Beta, and that it will be fixed in 
the next release version of Red Hat Linux. SuSE has confirmed 
that the file permissions are set correctly on 
/etc/iscsi.conf. No other major Linux vendors appear to be 
shipping the iSCSI package yet. 

DISCOVERY CREDIT

Kurt Seifried (kurt@seifried.org)

DISCLOSURE TIMELINE

July 11, 2002:	Problem found on Red Hat Linux Limbo Beta #1
		      Initial contacts sent to Red Hat, SuSE and Cisco

July 12, 2002:	SuSE confirms file mode 600 by default, not 
vulnerable
Email sent to Matthew Franz at Cisco, additional Cisco 
employees also contacted, iSCSI for Linux is an external 
project at Cisco, PSIRT was not used, no response ever 
received. 

July 17, 2002:   iDEFENSE client disclosure

July 29, 20022:  Problem confirmed in Red Hat Limbo Beta #2, 
Red Hat contacted again, no response received. 

August 6, 2002:  No update of Linux iSCSI, nor mention of 
problem on website. 

August 8, 2002:  Public Advisory


http://www.idefense.com/contributor.html

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@idefense.com
www.idefense.com
(73074) /David Endler <dendler@idefense.com>/-------