Preamble:

Product: Astaro Security Linux

Version: 2.016

Vendor: Astaro AG

Vendor URL: http://www.astaro.com

Vendor status and reply: Vendor has been contacted with posting of this
message

Description:
Astaro develops and distributes the firewall solution Astaro Security
Linux. Astaro Security Linux offers extensive protection for local
networks against hackers, viruses and other risks of connecting to the
Internet. Astaro Security Linux is distributed by a worldwide network of
partners who offer local support regarding installation and maintenance.

Introduction:
Dear BugTraq readers. I've taken a short glimpse on Astaro Security
Linux and found out some points of interest that are mostly design
flaws. Please note that I am theorising (based on a 1 1/2 hour research
only) about the impacts and have not proven their concepts on Astaro
Security Linux yet even though most can be proved easily.

Some of the vulnerabilities might be local and some might argue about
that Astaro Security Linux is a Firewall and no server... but as it uses
SSHD it could always be that the "loginuser" account might have been
compromised and shell access granted.

Vulnerabilities:

Summary:
5 Design flaws
2 Completely theorised design flaws
1 Possible design flaw
1 Licensing violation
1 Software bug

Category 1: Design flaw

Problem 1:
Astaro Security Linux chroots various daemons like snmpd and named in an
insecure manner. The proc filesystem is mounted within their chroot
jails. Furthermore the chroot jail entitled chroot-ipsec provides the
proc file system, a bash, ls, cat and most notably mount.

Impact 1:
Arbitrary users could cause severe damage by breaking the named or snmpd
remotely and by misusing the proc file system to reconfigure certain
parts of the system configuration under proc/sys. Furthermore proc/kcore
could be read to obtain information stored in memory which could lead to
system administrator privileges. These could for instance be DES
encrypted passwords which leads to another design flaw

Exploit 1: None provided

Category 2: Design flaw

Problem 2:
Astaro Security Linux uses the DES algorithm as standard hashing scheme.
DES has turned very old and is known to be easily crackable with modern
processing power.

Impact 2:
Arbitrary users who obtain encrypted passwords (see 1) could retreive a
6 letter clear-text password within just some hours using modern
processing power and use it to compromise the system.

Exploit 2: None provided

Category 3: Design flaw

Problem 3:
Astaro Security Linux runs most of its daemons with UID 0 privileges.
Affected daemons are: named or snmpd. These daemons run in a chroot jail.

Impact 3:
Arbitrary users could remotely crack one of the affected daemons and use
UID 0 powers to compromise the whole file system even if these daemons
run in a chroot jail.

Additional note 3-1:
The main design flaw lies within that these daemons run UID 0 within a
chroot jail. The daemons itself are not the design flaw (even though
BIND 8.2.3 can be considered old).

Additional note 3-2:
Other daemons with UID 0 are syslogd, klogd, mdw_daemon.pl, cron, aua
and sshd. VPN subsystem, SQUID and others haven't been checked by me.

Exploit 3: None provided

Category 4: Possible design flaw

Problem 4:
OpenSSL PRNG Internal State Disclosure Vulnerability

Impact 4:
Please see: http://www.securityfocus.com/bid/3004

Exploit 4: None provided

Additional note 4:
It was NOT tested if the version of OpenSSL (0.9.6) used in Astaro
Security Linux is a security-patched version of OpenSSL 0.9.6 since no
sources were provided (5)

Category 5: Licensing violation

Problem 5:
Astaro AG releases software packages without providing their sources and
modifications to them as required in §3 of the GNU GPL and neither seems
to offer distribution of GPL sources for free within a 3 year period in
a written form.

Additional note 5:
I have not checked every available documentation for a written form of
an offer as described in GNU GPL §3 b but only their license (which
should normally contain just that) and CD-ROM contents.

Category 6: Design flaw

Problem 6:
Astaro Security Linux has a default limit for simultaneously processes
of 8190 soft and 8912 hard and its default cpu-time is "unlimited".

Impact 6:
Arbitrary users with local access (loginuser) can easily launch fork
bombs to consume 100% CPU power and stop the system from operating.

Exploit 6: None provided

Category 7: Completely theorised design flaw

Problem 7:
Astaro Security Linux uses a very old version of PAM (0.70 dated
09.10.1999) which maybe contains vulnerabilities.

Category 8: Design flaw

Problem 8:
/proc/version indicates "Linux version 2.4.8-asl-0.010815.0", which
indicates the 2.4.8 version of the Linux kernel that contains some
security vulnerabilities. Additional information on possible
vulnerabilities can be found here:

http://www.securityfocus.com/bid/3570
http://www.securityfocus.com/bid/3418
http://www.securityfocus.com/bid/3444
http://www.securityfocus.com/bid/3505

Impact 8: Various, see above URLs.

Exploit 8: None provided

Additional note 8:
Due to absence of source code it could not be proved if this kernel is
patched against the security issues mentioned above.

Category 9: Completely theorised design flaw

Problem 9:
Astaro Security Linux seems to rely on an old version of glibc according
to ls -l /lib/libc*.

Output: -rwxr-xr-x 1 root root 1080268 Sep 15 2000 libc.so.6

If my assumption is correct and the version used was not patched, it
could be possible that the system is vulnerable to a "glibc file
globbing heap corruption vulnerability". For more information please
see: http://www.securityfocus.com/bid/3707

Impact 9: See URL above

Exploit 9: None provided

Category 10: Software bug (OT for Bugtraq, still included ;)

Problem 10: During installation one can choose to install OpenSource
software only or OpenSource software and the so called Astaro Security
Enterprise Toolkit. When only "OpenSource" was chosen, the installer
locks up after entry of the last password (I think this was for lilo).
If my assumption is right (that a lilo password is asked for) then no
lilo password will be set even though the Enterprise Toolkit was
selected and the installation finished successfully.

Additional note 10:
System tested on was 800MHZ Duron, 128MB RAM, 20GB Maxtor HD, 52X
CD-ROM, 3X RTL 8139.

Final words:

Conclusion, a final word to the Astaro AG:
So much about a "Security Linux"... You may have done the firewalling and
the configuration interface of your product real good... but you should
also read some articles on what could be considered more internal
security and work on your products some more.

Disclaimer:
None of the information provided are meant to aid any destructive
purposes. I will furthermore take no responsibility for that anyone will
use the information provided for his or her own malicious purposes. This
information is intended to aid in improving the current state of Astaro
Security Linux, warn companies and individuals who run Astaro Security
Linux and should help other designers of Linux distributions to avoid
flaws like the ones elaborated on above. Please also not that I am in no
way affiliated with Astaro AG or any of their 3rd party affiliates or
want to harm Astaro AG and/or their customers.

- Jörg Lübbert (aka Kaladis)

-- 
Kaladix Linux - The Secure Linux Distribution
URL: http://www.kaladix.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]