Advisory: Rsync remote file system access vulnerability CVE-2015-0932

Grace NacesAdvisoriesLeave a Comment

Security Advisory

Publication Date: 26 March 2015

Description

An incorrect rsync configuration on certain models of our gateway products allows an external system to obtain unrestricted remote read/write file access.

Impact

A remote unauthenticated user with unrestricted access to the rsync port to affected gateway products may be allowed full read/write access to the file system. Exploitation of this vulnerability could lead to unauthenticated access.

Status

The vulnerability is classified as ‘CVE-2015-0932’ by CERT.

Affected gateway products are:

  1. IG 3100 model 3100, model 3101
  2. InnGate 3.00 E-Series, 3.01 E-Series, 3.02 E-Series, 3.10 E-Series
  3. InnGate 3.01 G-Series, 3.10 G-Series

Recommended Action

If your product is listed as the affected gateways above, you can eliminate this vulnerability by applying the latest hotfix that was released on March 26, 2015.

Gateways with Support Contract

If your product is still under valid support contract, you may download the latest patch from our online patching system, please follow the following instructions:

For InnGate3 Gateway below patch#43, kindly register or login to ANTlabs Support Portal, download and manually apply patches up to level 43 in Admin GUI (Admin GUI > System > Maintenance > Patch) and continue applying to the latest patch level through Online Patching. Patches for manual upload can be downloaded from: ANTlabs Website > Support > Patches > InnGate 3.

For IG3100 and InnGate3 Gateway patch#43 and above, the patches can be download through Online Patching (Admin GUI > System > Maintenance > Patch).
From the patch list, click button “Check for Updates”, “Download all” and “Install Next Patch” up to the latest level.

Please Note: Certain patches may require reboot and downtime will be introduced and we recommend you to save a snapshot of the Gateway before applying any patches. Please refer to the following documents (downloadable from Admin GUI > Documentation > Manual) for more information.
– IG 3100 Administrator Manual r1.2.pdf – Chapter 11: System Save & Restoration
– InnGate_3_Administrator_Manual_r1.03.pdf – Chapter 12: System Save & Restoration

Gateways without valid Support Contract

Even if your gateway is out of support contract, the gateway is still eligible to apply for the mentioned hotfix. However, please download the patch from the links below and apply manually:

For expired support contracts and/or any other issues, please contact our support at tech-support@antlabs.com.

To mitigate this vulnerability, you can also ensure the gateway is placed behind a trusted network or ensure that access to the rsync TCP port 873 is restricted.

Acknowledgments

ANTlabs would like to acknowledge CERT(R) Coordination Center team for bringing this issue to our attention, and for following the highest standards of responsible disclosure.

Advisory: Glibc Vulnerability

A buffer overflow vulnerability in the glibc gethostbyname() function was publicly announced on January 27, 2015. The issue is identified by CVE-2015-0235 and was given the name “Ghost.” The ANTlabs Engineering Team started investigating this issue immediately.

This vulnerability is related to the various gethostbyname functions included in glibc and affect applications that call these functions. This vulnerability may allow an attacker to obtain sensitive information from an exploited system or, in some instances, perform remote code execution with the privileges of the application being exploited.

  • The issue exists within the __nss_hostname_digits_dots() function, which is used by the gethostbyname() or gethostbyname2() functions.
  • Exploitation of the vulnerability can lead to remote code execution (RCE). This provides an attacker the capability to run code of their choosing on the affected machine.

While some ANTlabs products do ship with the vulnerable versions of glibc, based on our current analysis, ANTlabs products are not affected by this issue. This conclusion is based on not finding a method to pass untrusted input to the vulnerable glibc function in any ANTlabs product.

ANTlabs products that ship with vulnerable versions of glibc will be updated in upcoming releases in accordance with standard software update policy.

Advisory on Darkhotel Malware

Information has been circulated that there is a malware known as Darkhotel, which targets and compromises various hotel systems. This malware initiates targeted attacks to selected users when they check in to hotels by pushing Trojans, information stealers and key loggers into the user’s machine.

Please be informed that the InnGate is safe from the Darkhotel malware based on the following points:

  1. InnGate is an appliance-based product with its own hardened OS and it neither allows users to download nor install any infected software such as Darkhotel. It is more secure compared to software-based gateway solutions as their underlying PCs may be infected with malware brought by an unsuspecting hotel staff’ software downloads on the systems.
  2. The InnGate prevents network-based attacks (i.e. malicious code injections) by providing regular software updates and security fixes. These are delivered through online patching.
  3. Darkhotel malware attacks are targeted and it needs to identify the user when they login via the hotel WiFi portal. This can only be achieved when the portal server is compromised. The InnGate’s portal server is integrated and given the security mechanisms (as illustrated in points 1 and 2) preventing the compromise of the portal server, this malware attack cannot be initiated since it cannot infect the portal server to identify targeted users.
  4. The InnGate supports traffic separation by rooms, based on VLANs. This means that if there are other hotel systems that are infected by the Darkhotel malware, the traffic separation shall reduce the chances of these systems ability to detect and identify the guest; therefore, the attack shall not be launched effectively.

The InnGate solution helps hotels in preventing and reducing the effectiveness of malware attacks, such as that of Darkhotel. For more information on how you can make your hotel network safer for you and your guests, please contact sales@antlabs.com .

Advisory on SSL3 ‘Poodle’ vulnerability

The “Poodle” vulnerability, released on October 14th, 2014, is an attack on the SSL 3.0 protocol. It is a protocol flaw and every implementation of SSL 3.0 suffers from it.

Note that we are talking about the old SSL 3.0, not TLS 1.0 or later. The TLS versions are not affected (neither is DTLS) by the vulnerability.

Are our gateways vulnerable to the Poodle attack ?

The attack scenario requires the attacker to be able to inject data of their own, and to intercept the encrypted bytes. The only plausible context where such a thing can happen is in a Web browser. Therefore, Poodle is an attack on the client, not on the server, which means our gateways are not technically ‘vulnerable’ to the attack.

However, if there is concern that the administrator’s web browser may be ‘vulnerable’ to this attack when accessing our admin GUI, the administrator can choose to disable SSL 3.0 support in their browser or upgrade their browser to the latest version which has patched this vulnerability.

As a precautionary measure, SSL 3.0 support will also be removed from our gateways in future during our regular software updates cycles.

Advisory: ShellShock Bash Vulnerability

Please be informed that ANTlabs products are not affected by “ShellShock” Bash Vulnerability. This is mainly because our products are appliance-based and do not use bash for console shell access. Administrators use ANTlabs’ own customised shell (that is not subject to the ShellShock Bash vulnerability) to access the command line interface. In addition, these products do not use or permit the execution of CGI scripts.

This advisory is applicable to the following ANTlabs Products:

  • SSG 3 / SSG 4
  • SG 4
  • InnGate 3
  • IG 3100
  • Tru’Auth
  • Tru’Auth CMS
  • Tru’IP DNS
  • Tru’IP DHCP
  • Tru’IP CMS

Leave a Reply