lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100216010544.19105.qmail@securityfocus.com>
Date: 16 Feb 2010 01:05:44 -0000
From: sam.johnston@....net.au
To: bugtraq@...urityfocus.com
Subject: Enomaly ECP: Multiple vulnerabilities in VMcasting protocol &
 implementation.

Enomaly ECP: Multiple vulnerabilities in VMcasting protocol & implementation.

Synopsis

Enomaly ECP up to and including v3.0.4 is believed to contain an insecure
silent update mechanism that could allow a remote attacker to execute
arbitrary code as root, and to inject or modify VM workloads for execution
within user environment or to replay older, insecure workloads.

Both the Enomaly ECP implementation and the VMcasting protocol itself are
believed to be vulnerable.

Background

Enomaly ECP is management software for virtual machines in cloud computing 
environments.

Description

Sam Johnston (http://samj.net/) of Australian Online Solutions
(http://www.aos.net.au) reported that the vmfeed module, an insecure
implementation of the insecure VMcasting protocol (http://www.vmcasting.org/)
includes a silent update mechanism that downloads and executes Python code
from Enomaly's corporate web server (http://enomaly.com/fileadmin/eggs/)
over HTTP, without authentication or integrity checks. The code is triggered
when the "application/python-egg" MIME type is encountered.

The module also contains functionality for downloading workloads (virtual
machines) from a feed which is itself retrieved over HTTP. While the VMcasting
protocol (http://www.vmcasting.org/) describes a mechanism for digitally
signing payloads, the mechanism is not implemented and there is no requirement
to transfer feeds securely (e.g. over HTTPS). The implementation itself
actively rejects URLs that do not start with "http" or "ftp" with an error.

The module has the following feeds hardcoded:
 - Enomalism VMCasting Test Feed [http://enomalism.com/vmcast_appliances.php]
 - VMCasting Production Module Feed [http://enomalism.com/vmcast_modules.php]

Impact

Combined with the ability to intercept requests to Enomaly's corporate web
server by other means such as ARP or DNS spoofing, or compromise the server
itself or any intermediary server, it may be possible to execute arbitrary
commands as the root user on any server requesting the feeds. It may also be
possible for an attacker to run workloads of their choice, to modify existing
workloads and to replay old, known-insecure workloads (even if signed).

Workaround

Resolve enomalism.com and enomaly.com to 127.0.0.1 in affected servers' hosts
files or migrate to OpenECP which includes fixes for the vulnerabilities.

Resolution

There is no resolution at this time as the feature cannot be disabled. Vendor
did not confirm whether subsequent/future releases [will] address the problem.

History

2009-11-02 Open source distributions for Enomaly ECP removed from Internet.
2010-01-06 Email request for open source code Enomaly ECP code denied by CEO.
2010-02-03 Public discussion of vulnerability, verified in current source.
2010-02-03 Strategic Advisor & Board Member claims "Many of the items have
been addressed in [Service Provider Edition and soon to be released High
Assurance] editions. We will review your comments above for future inclusion
into our product road map". Fails to identify which issues remain.
2010-02-09 OpenECP forked from Enomaly ECP, resolves vulnerabilities.
2010-02-09 Chief Technologist claims "ECP 3.0 is a significantly different
product than 2.0 servicing different market needs. [...] Technically ECP2.0
was Enomalism 2.0, not the Elastic Computing platform."
2010-02-10 Changelogs showing common lineage are removed from Internet.
2010-02-?? http://src.enomaly.com is restored claiming "Our current platform,
Enomaly ECP Service Provider Edition, is a completely different product."
2010-02-16 Vulnerability report released unverified.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ