![[LWN Logo]](/images/lwn.banner.gif)
Date: Tue, 25 Apr 2000 10:21:26 -0700 From: Aleph One <aleph1@UNDERGROUND.ORG> Subject: ISS Security Advisory: Backdoor Password in Red Hat Linux Virtual To: BUGTRAQ@SECURITYFOCUS.COM -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory April 24, 2000 Backdoor Password in Red Hat Linux Virtual Server Package Synopsis: Internet Security Systems (ISS) X-Force has identified a backdoor password in the Red Hat Linux Piranha product. Piranha is a package distributed by Red Hat, Inc. that contains the Linux Virtual Server (LVS) software, a web-based GUI, and monitoring and fail-over components. A backdoor password exists in the GUI portion of Piranha that may allow remote attackers to execute commands on the server. If an affected version of Piranha is installed and the default backdoor password remains unchanged, any remote as well as local user may login to the LVS web interface. From here LVS parameters can be changed and arbitrary commands can be executed with the same privilege as that of the web server. Impact: With this backdoor password, an attacker could compromise the web server as well as deface and destroy the web site. Affected Versions: Piranha is distributed in three Red Hat Package Managers (RPMs): "piranha", "piranha-gui", and "piranha-docs". The vulnerability is present if version 0.4.12 of piranha-gui is installed. The current distribution of Red Hat Linux 6.2 distribution is vulnerable. Earlier versions of the Red Hat distribution do not contain this vulnerability. Description: Piranha is a collection of utilities used to administer the Linux Virtual Server. LVS is a scalable and highly available server designed for large enterprise environments. It allows seamless clustering of multiple web servers through load balancing, heartbeat monitoring, redundancy, and fail-over protection. To the end user, the entire system is completely transparent, appearing as if a single server is fielding every request. Piranha is shipped with a web-based GUI that allows system administrators to configure and monitor the cluster. The Piranha package contains an undocumented backdoor account and password that may allow a remote attacker access to the LVS web administration tools. Attackers could use these tools to cause the interface to execute arbitrary commands against the server. Commands are executed with the same privilege level of the web server, which varies based on the configuration of the system. The vulnerability is present even if the LVS service is not used on the system. If the affected "piranha-gui" package is installed and the password has not been changed by the administrator, the system is vulnerable. Recommendations: Red Hat has provided updated piranha, piranha-doc, and piranha-gui packages 0.4.13-1. ISS X-Force recommends that these patches be installed immediately. The updated piranha-gui package addresses the password and arbitrary command execution vulnerability. After upgrading to piranha 0.4.13-1 users should ensure that a password is set by logging into the piranha web gui and setting one. The updated packages are available on ftp://updates.redhat.com/6.2, and their version number is 0.4.13-1. The file names and MD5 sums for the new packages are as follows: ece87b0ed6f01a87b954b980c115aec0 SRPMS/piranha-0.4.13-1.src.rpm 985ff7d09172f4bfcc17c8044bee7fe8 alpha/piranha-0.4.13-1.alpha.rpm 9804348b4dc73ab82a7624c404afb930 alpha/piranha-docs-0.4.13-1.alpha.rpm c1e536a9d14422115a89d2d56bf93926 alpha/piranha-gui-0.4.13-1.alpha.rpm f2db6f165f21f93e9b724a94cd3fc595 i386/piranha-0.4.13-1.i386.rpm bd54eb595f2a535e52486e799715ce00 i386/piranha-docs-0.4.13-1.i386.rpm ad9fb552616a221db26b92b668211a30 i386/piranha-gui-0.4.13-1.i386.rpm b9cb5cddd6e0cd99fc47eb56a06319a0 sparc/piranha-0.4.13-1.sparc.rpm 98313aa873dffe9c0520e3ad4862f2f5 sparc/piranha-docs-0.4.13-1.sparc.rpm 06cdba77a7f128e48a7c3d15c0cf9bcc sparc/piranha-gui-0.4.13-1.sparc.rpm The ISS X-Force is updating the ISS Internet Scanner security assessment software to detect this vulnerability in the upcoming X-Press Update 3.6. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0248 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credits: This vulnerability was discovered and researched by Allen Wilson of Internet Security Systems and ISS X-Force. ISS would like to thank Red Hat for their response and handling of this vulnerability. _______ About Internet Security Systems (ISS) ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite (tm) security software, industry-leading ePatrol (tm) managed security services, and strategic consulting and education services, ISS is a trusted security provider to its customers, protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' lifecycle e-business security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the ISS Web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force (xforce@iss.net) of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOQSVPjRfJiV99eG9AQHtqAP8DO4M1APQGqQGwe4gtvjHQ3iQRzyF4b9w wpYZLhThrm4UpiZA7cMcCHgKB6KjPo/iga5KrzOdQkM+bp3QjRT+ffcR7DDSNT6h oT5/4CzLyPXPpYlE031cX5SuVA4i675erdw3jHlxR9j6SAekP7t+og2rzj5SMTsp N11n2IXha48= =4SQI -----END PGP SIGNATURE-----