SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (Storage)  >   EMC Celerra Vendors:   EMC
EMC Celerra Network Attached Storage Lets Remote Users Access the NFS Data Directory
SecurityTracker Alert ID:  1024271
SecurityTracker URL:  http://securitytracker.com/id/1024271
CVE Reference:   CVE-2010-2860   (Links to External Site)
Updated:  Sep 9 2010
Original Entry Date:  Aug 2 2010
Impact:   Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.6.50 and prior versions
Description:   A vulnerability was reported in EMC Celerra Network Attached Storage. A remote user with the ability to spoof IP addresses can gain full access to the exported NFS directory.

The system grants access to remote users using an IP address white list intended for internal device communications. A remote user can spoof certain IP addresses to mount and gain full access to the root NFS export on the target device.

The vendor was notified on May 7, 2010.

Steve Ocepek of Trustwave's SpiderLabs reported this vulnerability.

Impact:   A remote user with the ability to spoof IP addresses can gain full access to the exported NFS directory.
Solution:   The vendor has issued a fix (5.6.51).
Vendor URL:  www.emc.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Mon, 2 Aug 2010 16:31:41 -0400
Subject:  [Full-disclosure] TWSL2010-003: Unauthorized access to root NFS export on EMC Celerra NAS appliance

--===============1478896760==
Content-Type: multipart/alternative; boundary="B_3363611504_462098"

--B_3363611504_462098
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable


Trustwave's SpiderLabs Security Advisory TWSL2010-003:
Unauthorized access to root NFS export on EMC Celerra Network Attached
Storage
(NAS) appliance

https://www.trustwave.com/spiderlabs/advisories/TWSL2010-003.txt

Published: 2010-07-29 Version: 1.0

Vendor: EMC (http://www.emc.com)
Product: Celerra Unified Storage products
(http://www.emc.com/products/family/celerra-family.htm)
Version(s) affected: All

Product Description:
The Celerra Unified Storage Platform provides Network Attached Storage (NAS=
)
services through a combination of server appliances and software modules.

Credit: Steve Ocepek of Trustwave's SpiderLabs

CVE: CVE-2010-2860

Finding:
The Celerra appliance's NFS server freely exports its "/" file system and
enforces access using a factory-defined list of authorized IP addresses.
The
addresses found on a recent model are listed in the showmount example below=
,
however this list may differ depending on product version. The IP addresses
are intended for communication internal to the appliance, but are still
accepted from external sources. An attacker can mount this file system by
spoofing an authorized IP address.

The NFS showmount command can be used to obtain a list of the IP addresses:

     # showmount -e <Celerra IP address>
     Export list for <Celerra IP address>:
     / 128.221.253.101,128.221.252.101,128.221.253.100,128.221.252.100

Because the appliance's NFS server does not enable the "rootsquash" feature=
,
full access to the file system is possible by mounting the export using roo=
t
(UID 0).

Fully spoofing the source IP address (for sending and receiving packets)
will
usually require access to the local subnet or the ability to exploit some
other network infrastructure vulnerability. On Linux, local IP address
spoofing can be accomplished by creating an alias interface and using the
"ip route" command to set the source IP accordingly.

     # ifconfig eth0:0 128.221.253.101
     # ip route add <Celerra IP address> dev eth0 src 128.221.253.101
     # mkdir nfs
     # mount <Celerra IP address>:/ nfs


The flaw allows unauthorized access to files contained on the system,
including all CIFS shares and iSCSI mounted drives. The "/" path does not
correspond to the true root of the file system -- only the root of the user
data directory is exposed.

Vendor Response:
The vendor has acknowledged this issue and issued the following workaround.

Vendor has also published a knowledgebase article about the issue and
mitigation so support can help any customers who call in with this issue
until
a permanent fix from EMC is available.

Vendor estimated date for a code fix is Q3 2010.

Remediation Steps:=20

The following recommendations were provided by the vendor.

1. Hide NFS exports and show it only based on the configured access. Settin=
g
forceFullShowmount param to 0 (default is 1) will hide the "/" from the lis=
t
since only Control Station have access to it for administration purpose:

[root@virgil slot_3]# server_param server_3 -f mount -info
forceFullShowmount

server_3 :=20
name                    =3D forceFullShowmount
facility_name           =3D mount
default_value           =3D 1
current_value           =3D 1
configured_value        =3D
user_action             =3D none
change_effective        =3D immediate
range                   =3D (0,1)
description             =3D Forces response to showmount requests to fully
                          populate response.

[root@virgil slot_3]# server_param server_3 -f mount -modify \
forceFullShowmount -value 0

server_3 : done

After the above change, client will see only the shares he have permissions
to
access to:

/usr/sbin/showmount -e 172.24.97.3
Export list for 172.24.97.3:
/fs1 (everyone)

2. Change default IP addresses (during install or after) for internal
network
along with first step above to further minimize the exploitability.

Product team has provided additional mitigations steps that can be
implemented
by the customers to reduce the severity of exploitation of a vulnerability:

1. Create IP-based access rules on the network equipment rejecting traffic
for
IP addresses belonging to internal Celerra network which do have own switch
for that purpose. These addresses are listed in the /etc/hosts file of the
Celerra Control Station.

2. Configure firewall(s) between Data Movers and NFS clients to reject
traffic
for IP addresses belonging to the internal Celerra network.

3. Hide NFS exports and show it only based on the configured access. Settin=
g
forceFullShowmount param to 0 (default is 1) will hide the =B3/=B2 from the lis=
t
since only Control Station have access to it for administration purpose.

4.    Disable IP reflect

Vendor Communication Timeline:
05/07/10 - Initial communication
05/10/10 - Vulnerability details provided
05/18/10 - Vulnerability acknowledged, workaround and timeline provided
07/27/10 - Additional workaround details provided

Revision History:=20
1.0 Initial publication

About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions
to businesses and government entities throughout the world. For
organizations
faced with today's challenging data security and compliance environment,
Trustwave provides a unique approach with comprehensive solutions that
include
its flagship TrustKeeper compliance management software and other
proprietary
security solutions. Trustwave has helped thousands of organizations--rangin=
g
from Fortune 500 businesses and large financial institutions to small and
medium-sized retailers--manage compliance and secure their network
infrastructure, data communications and critical information assets.
Trustwave
is headquartered in Chicago with offices throughout North America,
South America, Europe, Africa, China and Australia. For more information,
visit https://www.trustwave.com

About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave responsible for
incident
response and forensics, ethical hacking and application security tests for
Trustwave's clients. SpiderLabs has responded to hundreds of security
incidents, performed thousands of ethical hacking exercises and tested the
security of hundreds of business applications for Fortune 500 organizations=
.
For more information visit https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty
of any kind. Trustwave disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular
purpose. In no event shall Trustwave or its suppliers be liable for any
damages whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages, even if Trustwave or its
suppliers have been advised of the possibility of such damages. Some states
do not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.


--B_3363611504_462098
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD>
<TITLE>TWSL2010-003: Unauthorized access to root NFS export on EMC Celerra =
NAS appliance</TITLE>
</HEAD>
<BODY>
<FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=3D'font-size:11pt=
'><BR>
Trustwave's SpiderLabs Security Advisory TWSL2010-003: <BR>
Unauthorized access to root NFS export on EMC Celerra Network Attached Stor=
age<BR>
(NAS) appliance<BR>
<BR>
<a href=3D"https://www.trustwave.com/spiderlabs/advisories/TWSL2010-003.txt">=
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-003.txt</a><BR>
<BR>
Published: 2010-07-29 Version: 1.0<BR>
<BR>
Vendor: EMC (<a href=3D"http://www.emc.com">http://www.emc.com</a>)<BR>
Product: Celerra Unified Storage products<BR>
(<a href=3D"http://www.emc.com/products/family/celerra-family.htm">http://www=
.emc.com/products/family/celerra-family.htm</a>)<BR>
Version(s) affected: All<BR>
<BR>
Product Description: <BR>
The Celerra Unified Storage Platform provides Network Attached Storage (NAS=
)<BR>
services through a combination of server appliances and software modules.<B=
R>
<BR>
Credit: Steve Ocepek of Trustwave's SpiderLabs<BR>
<BR>
CVE: CVE-2010-2860<BR>
<BR>
Finding:<BR>
The Celerra appliance's NFS server freely exports its &quot;/&quot; file sy=
stem and<BR>
enforces access using a factory-defined list of authorized IP addresses. &n=
bsp;The<BR>
addresses found on a recent model are listed in the showmount example below=
,<BR>
however this list may differ depending on product version. The IP addresses=
<BR>
are intended for communication internal to the appliance, but are still<BR>
accepted from external sources. An attacker can mount this file system by<B=
R>
spoofing an authorized IP address. &nbsp;<BR>
<BR>
The NFS showmount command can be used to obtain a list of the IP addresses:=
<BR>
<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# showmount -e &lt;Celerra IP address&gt;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Export list for &lt;Celerra IP address&gt;:<B=
R>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/ 128.221.253.101,128.221.252.101,128.221.253=
.100,128.221.252.100<BR>
<BR>
Because the appliance's NFS server does not enable the &quot;rootsquash&quo=
t; feature,<BR>
full access to the file system is possible by mounting the export using roo=
t<BR>
(UID 0).<BR>
<BR>
Fully spoofing the source IP address (for sending and receiving packets) wi=
ll<BR>
usually require access to the local subnet or the ability to exploit some<B=
R>
other network infrastructure vulnerability. On Linux, local IP address<BR>
spoofing can be accomplished by creating an alias interface and using the<B=
R>
&quot;ip route&quot; command to set the source IP accordingly. <BR>
<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# ifconfig eth0:0 128.221.253.101<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# ip route add &lt;Celerra IP address&gt; dev=
 eth0 src 128.221.253.101<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# mkdir nfs<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# mount &lt;Celerra IP address&gt;:/ nfs<BR>
<BR>
<BR>
The flaw allows unauthorized access to files contained on the system,<BR>
including all CIFS shares and iSCSI mounted drives. The &quot;/&quot; path =
does not<BR>
correspond to the true root of the file system -- only the root of the user=
<BR>
data directory is exposed.<BR>
<BR>
Vendor Response:<BR>
The vendor has acknowledged this issue and issued the following workaround.=
<BR>
<BR>
Vendor has also published a knowledgebase article about the issue and<BR>
mitigation so support can help any customers who call in with this issue un=
til<BR>
a permanent fix from EMC is available.<BR>
<BR>
Vendor estimated date for a code fix is Q3 2010.<BR>
<BR>
Remediation Steps: <BR>
<BR>
The following recommendations were provided by the vendor.<BR>
<BR>
1. Hide NFS exports and show it only based on the configured access. Settin=
g<BR>
forceFullShowmount param to 0 (default is 1) will hide the &quot;/&quot; fr=
om the list<BR>
since only Control Station have access to it for administration purpose:<BR=
>
<BR>
[root@virgil slot_3]# server_param server_3 -f mount -info forceFullShowmou=
nt<BR>
<BR>
server_3 : <BR>
name &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=3D forceFullShowmount<BR>
facility_name &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=3D=
 mount<BR>
default_value &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=3D=
 1<BR>
current_value &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=3D=
 1<BR>
configured_value &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=3D <BR>
user_action &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;=3D none<BR>
change_effective &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=3D immediate<BR>
range &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=3D (0,1)<BR>
description &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;=3D Forces response to showmount requests to fully<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;populate response.<BR>
<BR>
[root@virgil slot_3]# server_param server_3 -f mount -modify \<BR>
forceFullShowmount -value 0<BR>
<BR>
server_3 : done<BR>
<BR>
After the above change, client will see only the shares he have permissions=
 to<BR>
access to:<BR>
<BR>
/usr/sbin/showmount -e 172.24.97.3<BR>
Export list for 172.24.97.3:<BR>
/fs1 (everyone)<BR>
<BR>
2. Change default IP addresses (during install or after) for internal netwo=
rk<BR>
along with first step above to further minimize the exploitability.<BR>
<BR>
Product team has provided additional mitigations steps that can be implemen=
ted<BR>
by the customers to reduce the severity of exploitation of a vulnerability:=
 <BR>
<BR>
1. Create IP-based access rules on the network equipment rejecting traffic =
for<BR>
IP addresses belonging to internal Celerra network which do have own switch=
<BR>
for that purpose. These addresses are listed in the /etc/hosts file of the<=
BR>
Celerra Control Station.<BR>
<BR>
2. Configure firewall(s) between Data Movers and NFS clients to reject traf=
fic<BR>
for IP addresses belonging to the internal Celerra network.<BR>
<BR>
3. Hide NFS exports and show it only based on the configured access. Settin=
g<BR>
forceFullShowmount param to 0 (default is 1) will hide the &#8220;/&#8221; =
from the list<BR>
since only Control Station have access to it for administration purpose.<BR=
>
<BR>
4. &nbsp;&nbsp;&nbsp;Disable IP reflect<BR>
<BR>
Vendor Communication Timeline:<BR>
05/07/10 - Initial communication<BR>
05/10/10 - Vulnerability details provided <BR>
05/18/10 - Vulnerability acknowledged, workaround and timeline provided<BR>
07/27/10 - Additional workaround details provided<BR>
<BR>
Revision History: <BR>
1.0 Initial publication<BR>
<BR>
About Trustwave:<BR>
Trustwave is the leading provider of on-demand and subscription-based<BR>
information security and payment card industry compliance management soluti=
ons<BR>
to businesses and government entities throughout the world. For organizatio=
ns<BR>
faced with today's challenging data security and compliance environment,<BR=
>
Trustwave provides a unique approach with comprehensive solutions that incl=
ude<BR>
its flagship TrustKeeper compliance management software and other proprieta=
ry<BR>
security solutions. Trustwave has helped thousands of organizations--rangin=
g<BR>
from Fortune 500 businesses and large financial institutions to small and<B=
R>
medium-sized retailers--manage compliance and secure their network<BR>
infrastructure, data communications and critical information assets. Trustw=
ave<BR>
is headquartered in Chicago with offices throughout North America,<BR>
South America, Europe, Africa, China and Australia. For more information,<B=
R>
visit <a href=3D"https://www.trustwave.com">https://www.trustwave.com</a><BR>
<BR>
About Trustwave's SpiderLabs:<BR>
SpiderLabs is the advance security team at Trustwave responsible for incide=
nt<BR>
response and forensics, ethical hacking and application security tests for<=
BR>
Trustwave's clients. SpiderLabs has responded to hundreds of security<BR>
incidents, performed thousands of ethical hacking exercises and tested the<=
BR>
security of hundreds of business applications for Fortune 500 organizations=
.<BR>
For more information visit <a href=3D"https://www.trustwave.com/spiderlabs">h=
ttps://www.trustwave.com/spiderlabs</a><BR>
<BR>
Disclaimer:<BR>
The information provided in this advisory is provided &quot;as is&quot; wit=
hout warranty<BR>
of any kind. Trustwave disclaims all warranties, either express or implied,=
<BR>
including the warranties of merchantability and fitness for a particular<BR=
>
purpose. In no event shall Trustwave or its suppliers be liable for any<BR>
damages whatsoever including direct, indirect, incidental, consequential,<B=
R>
loss of business profits or special damages, even if Trustwave or its<BR>
suppliers have been advised of the possibility of such damages. Some states=
<BR>
do not allow the exclusion or limitation of liability for consequential or<=
BR>
incidental damages so the foregoing limitation may not apply.<BR>
</SPAN></FONT>
</BODY>
</HTML>



--B_3363611504_462098--


--===============1478896760==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1478896760==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC