Friday, May 24, 2013

CloudStack IaaS insecure password reset

CloudStack is one of the major and popular IaaS  (Infrastructure as a Servile)  platform.
http://en.wikipedia.org/wiki/Apache_CloudStack

Below small review of the password reset process in the CloudStack.

The purpose of password reset procedure - to allow user during deployment of the VM (virtual machine) template or after this to reset root (administrator password) of VM. Because of the main idea of IaaS to give user ability to help himself  this is one of the key functionality.

From user perspective process looks like:
1. start new VM or click reset password on any stopped VM
2. Get popup with new root password
3. Log in using console, rdp or ssh using new password.

Let's see what behind the scene:
Each network in CloudStack has dedicated router (VR) which doing dhcp, dns, loadbalancing, firewalling and password reset for whole subnet.

On VR we have following components of password reset service:
1. Process listening on port 8080:
 socat -lf /var/log/cloud.log TCP4-LISTEN:8080,reuseaddr,crnl,bind=10.0.146.2 SYSTEM:/opt/cloud/bin/serve_password.sh "$SOCAT_PEERADDR"
it actually waiting for request like : DomU_Request: send_my_password

2. script actually doing the job: /opt/cloud/bin/serve_password.sh

3. and password file: /var/cache/cloud/passwords having all passwords in clear text with filesystem permissions -rw-r--r--
  10.0.146.15=rD7nudcze
 10.0.146.13=jB9kbknvq
 10.0.146.181=saved_password

after each password request VR replace corresponding password in password file  by "saved_password"

On VM template and  VM instance you have script: /etc/init.d/cloud-set-guest-password
This script automatically request root password from VR at each system startup and update it .

The password request procedure is:
1. Client VM parse local  network setting and getting DHCP server IP.
2. Client send clear text  request like wget -q -t 3 -T 20 -O - --header "DomU_Request: send_my_password" $PASSWORD_SERVER_IP:8080
3. If it get password it will use it. If it gets "saved_password" it won't do anything.


Security problems:
1. clear text password storage on VR
2. Clear text password transmission over the network
3. Missing password sever authentication (only by IP)
4. auto-starting password reset service.

Conclusion:

If attacker has access to the one instance into cloudstack network by spoofing password server(VR) IP he will able to compromise other instances int this subnet after their reboot. Having access to VR - will be able to compromise all nodes.

Thursday, May 2, 2013


Adding security into Enterprise Linux system-wide authentication mechanism:

Some small modification to default authentication mechanism at RedHat 5/6 based system will increase system security.

First witch from md5 to sha512 hashes: it as easy as executing:

"authconfig--passalgo=sha512 --updateall"

Update your /etc/pam.d/system-auth to the more adequate to the current threats settings:

#vi /etc/pam.d/system-auth
#%PAM-1.0
# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so
auth        required      pam_unix.so nullok try_first_pass
auth        sufficient    pam_tally2.so deny=10 onerr=fail unlock_time=1200
# lock account after 10 failed attempt. unlock automatically after 20 minutes.
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    required      pam_passwdqc.so min=disabled,disabled,12,8,8 max=32 passphrase=2 match=4 similar=deny random=32 enforce=everyone retry=5
# instead of default pam_cracklib.so switch to more advanced pam_passwdqc.so 
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so


Brief explanation of  pam_passwdqc.so proposed here settings:
min=disabled,disabled,12,8,8  - disallows any length passwords from any single character class, disallows any length passwords from any two character classes, a minimum length of 12 characters for a passphrase  a minimum length of 8 characters for a password from any three character classes, and a minimum length of 8 characters from four character classes.the module will ask for a new password if the user fails to provide a sufficiently strong password
max=32 - maximum allowed password length is 32 characters.
passphrase=2 - passphrase must consist of 2 words.
match=4 -  check if 4 character substring in password will match dictionary worlds. In this case password complexity requirements will be checked against password with this substring removed.
similar=deny - deny new password to  be similar to the old one
random=32 - randomly-generated passphrases will be 32 bit (IMHO byte) long
enforce=everyone - enforce complex passwords
retry=5 - the module will ask 5 times for a new password if the user fails to provide a sufficiently strong password.