From cog@seul.org Mon Apr 24 23:49:55 2000 From: David Webster To: independence-l@independence.seul.org Date: Mon, 24 Apr 2000 23:06:56 +0100 (BST) Subject: PISA-24-APR-00-005 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 .------------------------------------------------. |**** Project Independence Security Advisory ****| `-----------* ID: PISA-24-APR-00-005 *-----------' Issued by: David Webster Issue Date: 24-APR-00 Overview: Backdoor in Linux Virtual Server (LVS) package Affected: Indy 6.2build before current date (earlier versions NOT affected) -=-=-==-=-=- Detailed Problem Description: Internet Security Systems (ISS) X-Force has found a backdoor password in the Piranha-gui product. Piranha is a collection of utilities used to administer the Linux Virtual Server. LVS is a scalable and highly available server designed for large enterprise environments. It allows seamless clustering of multiple web servers through load balancing, heartbeat monitoring, redundancy, and fail-over protection. To the end user, the entire system is completely transparent, appearing as if a single server is fielding every request. Piranha ships with a web-based GUI (Piranha-gui) that allows administrators to configure and monitor the web servers. The Piranha package contains a backdoor account and password that may allow a remote attacker access to the LVS web administration tools. Attackers could then use these tools to cause the interface to execute their commands against the server. With this backdoor password, an attacker could potentially compromise the web server and deface/destroy the entire web site. The vulnerability is present even if the LVS service isn't in use on the system. If the "piranha-gui" package is installed and the password has not been changed by the administrator, the system is vulnerable. Solution: Update the affected RPM packages by downloading and installing the RPMs listed below. For each RPM, run: root# rpm -Fvh where is the name of the RPM. [Note: You need only install EITHER the compiled RPM, (*.i386.rpm) OR the source RPM, (*.src.rpm), NOT both.] RPMs: http://independence.seul.org/security/2000/rpms/piranha-0.4.13-1.i386.rpm ftp://updates.redhat.com/6.2/i386/piranha-0.4.13-1.i386.rpm http://independence.seul.org/security/2000/rpms/piranha-docs-0.4.13-1.i386.rpm ftp://updates.redhat.com/6.2/i386/piranha-docs-0.4.13-1.i386.rpm http://independence.seul.org/security/2000/rpms/piranha-gui-0.4.13-1.i386.rpm ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4.13-1.i386.rpm Source RPMs: http://independence.seul.org/security/2000/rpms/piranha-0.4.13-1.src.rpm Verification: MD5 sum Package Name - -------------------------------------------------------------------------- ece87b0ed6f01a87b954b980c115aec0 piranha-0.4.13-1.src.rpm f2db6f165f21f93e9b724a94cd3fc595 piranha-0.4.13-1.i386.rpm bd54eb595f2a535e52486e799715ce00 piranha-docs-0.4.13-1.i386.rpm ad9fb552616a221db26b92b668211a30 piranha-gui-0.4.13-1.i386.rpm - -------------------------------------------------------------------------- These packages are GPG signed by Red Hat, Inc. for security. Their key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg This security advisory, and all future ones should be signed by me, David Webster (aka cognition), with key ID: 45 FA C2 83 An archive of these messages can be currently be found on: http://independence.seul.org/security/ [Note: This vulnerability was discovered by Allen Wilson if ISS] .---------------------------------------------------. | And problems regarding this, or future advisories | | should be emailed to me: | `---------------------------------------------------' -----BEGIN PGP SIGNATURE----- Comment: David Webster (aka cogNiTioN) iD8DBQE5BMWYDdLNO0X6woMRAgYOAJ9IuK89k2YzjAR6qTDyuBJix39oxACffxPL dmhqG9cyP5NDWrfhTRufu2g= =bdcS -----END PGP SIGNATURE-----