Backdoor Password in Red Hat Linux Virtual Server Package

To: SCALUG <linux@scalug.org>, TCLUG <tclug-list@mn-linux.org>
Subject: Backdoor Password in Red Hat Linux Virtual Server Package
From: Troy Johnson <john1536@tc.umn.edu>
Date: Tue, 25 Apr 2000 08:55:18 -0500
Sender: troy@tc.umn.edu

Anybody else get this? I got this as an email forwarded to me and I'd
like to see a web site. TIA,

Troy

----------
ISS Security Advisory
April 24, 2000

Backdoor Password in Red Hat Linux Virtual Server Package

Synopsis:

Internet Security Systems (ISS) X-Force has identified a backdoor
password
in the Red Hat Linux Piranha product. Piranha is a package distributed
by
Red Hat, Inc. that contains the Linux Virtual Server (LVS) software, a
web-based GUI, and monitoring and fail-over components. A backdoor
password
exists in the GUI portion of Piranha that may allow remote attackers to
execute commands on the server. If an affected version of Piranha is
installed and the default backdoor password remains unchanged, any
remote as
well as local user may login to the LVS web interface. From here LVS
parameters can be changed and arbitrary commands can be executed with
the
same privilege as that of the web server.   

Impact:

With this backdoor password, an attacker could compromise the web server
as
well as deface and destroy the web site.

Affected Versions:

Piranha is distributed in three Red Hat Package Managers (RPMs):
"piranha",
"piranha-gui", and "piranha-docs". The vulnerability is present if
version
0.4.12 of piranha-gui is installed.  

The current distribution of Red Hat Linux 6.2 distribution is
vulnerable.
Earlier versions of the Red Hat distribution do not contain this
vulnerability.

Description:

Piranha is a collection of utilities used to administer the Linux
Virtual
Server. LVS is a scalable and highly available server designed for large
enterprise environments. It allows seamless clustering of multiple web
servers through load balancing, heartbeat monitoring, redundancy, and
fail-over protection. To the end user, the entire system is completely
transparent, appearing as if a single server is fielding every request.

Piranha is shipped with a web-based GUI that allows system
administrators to
configure and monitor the cluster. The Piranha package contains an
undocumented backdoor account and password that may allow a remote
attacker
access to the LVS web administration tools. Attackers could use these
tools
to cause the interface to execute arbitrary commands against the server.
Commands are executed with the same privilege level of the web server,
which
varies based on the configuration of the system.  

The vulnerability is present even if the LVS service is not used on the
system. If the affected "piranha-gui" package is installed and the
password
has not been changed by the administrator, the system is vulnerable.

Recommendations:

Red Hat has provided updated piranha, piranha-doc, and piranha-gui
packages
0.4.13-1. ISS X-Force recommends that these patches be installed
immediately. The updated piranha-gui package addresses the password and
arbitrary command execution vulnerability. After upgrading to piranha
0.4.13-1 users should ensure that a password is set by logging into the
piranha web gui and setting one.

The updated packages are available on ftp://updates.redhat.com/6.2, and
their version number is 0.4.13-1. 

The file names and MD5 sums for the new packages are as follows: 
 
ece87b0ed6f01a87b954b980c115aec0	SRPMS/piranha-0.4.13-1.src.rpm
985ff7d09172f4bfcc17c8044bee7fe8	alpha/piranha-0.4.13-1.alpha.rpm
9804348b4dc73ab82a7624c404afb930	alpha/piranha-docs-0.4.13-1.alpha.rpm
c1e536a9d14422115a89d2d56bf93926	alpha/piranha-gui-0.4.13-1.alpha.rpm
f2db6f165f21f93e9b724a94cd3fc595	i386/piranha-0.4.13-1.i386.rpm
bd54eb595f2a535e52486e799715ce00	i386/piranha-docs-0.4.13-1.i386.rpm
ad9fb552616a221db26b92b668211a30	i386/piranha-gui-0.4.13-1.i386.rpm
b9cb5cddd6e0cd99fc47eb56a06319a0	sparc/piranha-0.4.13-1.sparc.rpm
98313aa873dffe9c0520e3ad4862f2f5	sparc/piranha-docs-0.4.13-1.sparc.rpm
06cdba77a7f128e48a7c3d15c0cf9bcc	sparc/piranha-gui-0.4.13-1.sparc.rpm

The ISS X-Force is updating the ISS Internet Scanner security assessment
software to detect this vulnerability in the upcoming X-Press Update
3.6. 

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name
CAN-2000-0248 to this issue. This is a candidate for inclusion in the
CVE
list (http://cve.mitre.org), which standardizes names for security
problems.

Credits:

This vulnerability was discovered and researched by Allen Wilson of
Internet
Security Systems and ISS X-Force. ISS would like to thank Red Hat for
their
response and handling of this vulnerability.
----------
-- 
	<a href="http://umn.edu/~john1536">Troy Johnson</a>

Under democracy one party always devotes its chief energies
to trying to prove that the other party is unfit to rule--and
both commonly succeed, and are right... The United States
has never developed an aristocracy really disinterested or an
intelligentsia really intelligent. Its history is simply a record
of vacillations between two gangs of frauds. 
	--- H. L. Mencken

Follow-Ups:
- RE: [TCLUG:16642] Backdoor Password in Red Hat Linux Virtual Server Package
  - From: "Carl Patten" <cpatte@trimodalinc.com>

Prev by Date: Re: [TCLUG:16635] c++ code
Next by Date: RE: [TCLUG:16642] Backdoor Password in Red Hat Linux Virtual Server Package
Prev by thread: Re: [TCLUG:16635] c++ code
Next by thread: RE: [TCLUG:16642] Backdoor Password in Red Hat Linux Virtual Server Package
Index(es):
- Date
- Thread