[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PISA-24-APR-00-005



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              .------------------------------------------------.
              |**** Project Independence Security Advisory ****|
              `-----------* ID: PISA-24-APR-00-005 *-----------'
                    Issued by: David Webster <cog@seul.org>

Issue Date: 24-APR-00

Overview: Backdoor in Linux Virtual Server (LVS) package 

Affected: Indy 6.2build before current date 
		(earlier versions NOT affected)

                                  -=-=-==-=-=-

Detailed Problem Description:

	Internet Security Systems (ISS) X-Force has found a backdoor 
	password in the Piranha-gui product. 

	Piranha is a collection of utilities used to administer the Linux 
	Virtual Server. LVS is a scalable and highly available server 
	designed for large enterprise environments. It allows seamless 
	clustering of multiple web servers through load balancing, heartbeat
	monitoring, redundancy, and fail-over protection. To the end user,
	the entire system is completely transparent, appearing as if a 
	single server is fielding every request.

	Piranha ships with a web-based GUI (Piranha-gui) that allows 
	administrators to configure and monitor the web servers. The 
	Piranha package contains a backdoor account and password that 
	may allow a remote attacker access to the LVS web administration 
	tools. Attackers could then use these tools to cause the 
	interface to execute their commands against the server. With this 
	backdoor password, an attacker could potentially compromise the 
	web server and deface/destroy the entire web site.

	The vulnerability is present even if the LVS service isn't in use 
	on the system. If the "piranha-gui" package is installed and the 
	password has not been changed by the administrator, the system is
	vulnerable.  

Solution:

        Update the affected RPM packages by downloading and
        installing the RPMs listed below. For each RPM, run:

                root# rpm -Fvh <filename>

        where <filename> is the name of the RPM.

        [Note: You need only install EITHER the compiled RPM,
        (*.i386.rpm) OR the source RPM, (*.src.rpm), NOT both.]

RPMs:

  http://independence.seul.org/security/2000/rpms/piranha-0.4.13-1.i386.rpm
   ftp://updates.redhat.com/6.2/i386/piranha-0.4.13-1.i386.rpm
  http://independence.seul.org/security/2000/rpms/piranha-docs-0.4.13-1.i386.rpm
   ftp://updates.redhat.com/6.2/i386/piranha-docs-0.4.13-1.i386.rpm
  http://independence.seul.org/security/2000/rpms/piranha-gui-0.4.13-1.i386.rpm
   ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4.13-1.i386.rpm

Source RPMs:

  http://independence.seul.org/security/2000/rpms/piranha-0.4.13-1.src.rpm

Verification:

MD5 sum                           Package Name
- --------------------------------------------------------------------------
ece87b0ed6f01a87b954b980c115aec0	piranha-0.4.13-1.src.rpm
f2db6f165f21f93e9b724a94cd3fc595	piranha-0.4.13-1.i386.rpm
bd54eb595f2a535e52486e799715ce00	piranha-docs-0.4.13-1.i386.rpm
ad9fb552616a221db26b92b668211a30	piranha-gui-0.4.13-1.i386.rpm
- --------------------------------------------------------------------------

These packages are GPG signed by Red Hat, Inc. for security.
Their key is available at: http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

This security advisory, and all future ones should be signed by me,
David Webster (aka cognition), with key ID: 45 FA C2 83

An archive of these messages can be currently be found on:
http://independence.seul.org/security/

   [Note: This vulnerability was discovered by Allen Wilson if ISS]

        .---------------------------------------------------.
        | And problems regarding this, or future advisories |
        |      should be emailed to me: <cog@seul.org>      |
        `---------------------------------------------------'
-----BEGIN PGP SIGNATURE-----
Comment: David Webster (aka cogNiTioN) <http://www.cognite.net/>

iD8DBQE5BMWYDdLNO0X6woMRAgYOAJ9IuK89k2YzjAR6qTDyuBJix39oxACffxPL
dmhqG9cyP5NDWrfhTRufu2g=
=bdcS
-----END PGP SIGNATURE-----