Thursday, September 19, 2013
Friday, May 24, 2013
CloudStack IaaS insecure password reset
CloudStack is one of the major and popular IaaS (Infrastructure as a Servile) platform.
http://en.wikipedia.org/wiki/Apache_CloudStack
http://en.wikipedia.org/wiki/Apache_CloudStack
Below small review of the password reset process in the CloudStack.
The purpose of password reset procedure - to allow user during deployment of the VM (virtual machine) template or after this to reset root (administrator password) of VM. Because of the main idea of IaaS to give user ability to help himself this is one of the key functionality.
From user perspective process looks like:
1. start new VM or click reset password on any stopped VM
2. Get popup with new root password
3. Log in using console, rdp or ssh using new password.
2. Get popup with new root password
3. Log in using console, rdp or ssh using new password.
Let's see what behind the scene:
Each network in CloudStack has dedicated router (VR) which doing dhcp, dns, loadbalancing, firewalling and password reset for whole subnet.
On VR we have following components of password reset service:
1. Process listening on port 8080:
socat -lf /var/log/cloud.log TCP4-LISTEN:8080,reuseaddr,crnl,bind=10.0.146.2 SYSTEM:/opt/cloud/bin/serve_password.sh "$SOCAT_PEERADDR"
it actually waiting for request like : DomU_Request: send_my_password
socat -lf /var/log/cloud.log TCP4-LISTEN:8080,reuseaddr,crnl,bind=10.0.146.2 SYSTEM:/opt/cloud/bin/serve_password.sh "$SOCAT_PEERADDR"
it actually waiting for request like : DomU_Request: send_my_password
2. script actually doing the job: /opt/cloud/bin/serve_password.sh
3. and password file: /var/cache/cloud/passwords having all passwords in clear text with filesystem permissions -rw-r--r--
10.0.146.15=rD7nudcze
10.0.146.13=jB9kbknvq
10.0.146.181=saved_password
after each password request VR replace corresponding password in password file by "saved_password"
On VM template and VM instance you have script: /etc/init.d/cloud-set-guest-password
This script automatically request root password from VR at each system startup and update it .
The password request procedure is:
1. Client VM parse local network setting and getting DHCP server IP.
2. Client send clear text request like wget -q -t 3 -T 20 -O - --header "DomU_Request: send_my_password" $PASSWORD_SERVER_IP:8080
3. If it get password it will use it. If it gets "saved_password" it won't do anything.
Security problems:
1. clear text password storage on VR
2. Clear text password transmission over the network
3. Missing password sever authentication (only by IP)
4. auto-starting password reset service.
Conclusion:
If attacker has access to the one instance into cloudstack network by spoofing password server(VR) IP he will able to compromise other instances int this subnet after their reboot. Having access to VR - will be able to compromise all nodes.
Thursday, May 2, 2013
Adding security into Enterprise Linux system-wide authentication mechanism:
Some small modification to default authentication mechanism at RedHat 5/6 based system will increase system security.
First witch from md5 to sha512 hashes: it as easy as executing:
"authconfig--passalgo=sha512 --updateall"
Update your /etc/pam.d/system-auth to the more adequate to the current threats settings:
#vi /etc/pam.d/system-auth
#%PAM-1.0 # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_unix.so nullok try_first_pass auth sufficient pam_tally2.so deny=10 onerr=fail unlock_time=1200 # lock account after 10 failed attempt. unlock automatically after 20 minutes. auth required pam_deny.so account required pam_tally2.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password required pam_passwdqc.so min=disabled,disabled,12,8,8 max=32 passphrase=2 match=4 similar=deny random=32 enforce=everyone retry=5 # instead of default pam_cracklib.so switch to more advanced pam_passwdqc.so password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
Brief explanation of pam_passwdqc.so proposed here settings:
min=disabled,disabled,12,8,8 - disallows any length passwords from any single character class, disallows any length passwords from any two character classes, a minimum length of 12 characters for a passphrase a minimum length of 8 characters for a password from any three character classes, and a minimum length of 8 characters from four character classes.the module will ask for a new password if the user fails to provide a sufficiently strong password
max=32 - maximum allowed password length is 32 characters.
passphrase=2 - passphrase must consist of 2 words.
match=4 - check if 4 character substring in password will match dictionary worlds. In this case password complexity requirements will be checked against password with this substring removed.
similar=deny - deny new password to be similar to the old one
random=32 - randomly-generated passphrases will be 32 bit (IMHO byte) long
enforce=everyone - enforce complex passwords
retry=5 - the module will ask 5 times for a new password if the user fails to provide a sufficiently strong password.
Subscribe to:
Posts (Atom)