Created by Kurt Seifried, [email protected]
http://seifried.org/security/advisories/kssa-004.html, [email protected]
Title:
Linux iSCSI leaves passwords exposed in world readable configuration file
Issue date:
Aug 8, 2002
Who should read this advisory:
Anyone using Cisco's iSCSI implementation for Linux.
Author and contact info:
This advisory is copyright 2002, Kurt Seifried, [email protected], http://www.seifried.org/
Overview:
The Cisco iSCSI implementation leaves the configuration file “/etc/iscsi.conf” world readable by default, potentially exposing passwords used to access iSCSI resources.
Affected software:
Cisco's iSCSI implementation for Linux on Red Hat Linux.
Impact:
Attackers can view passwords and access iSCSI resources using other systems potentially bypassing access controls.
Details:
iSCSI offers a flexible framework for various authentication options to access shared data resources. By viewing passwords an attacker can potentially access iSCSI resources and bypass authenticaiton controls.
Solutions and workarounds:
Ensure that the file “/etc/iscsi.conf” is not world readable. Please note that SuSE Linux used mode 0600 by default on this file.
Additional information:
This software is an external Cisco project and not formally supported by PSIRT.
References:
Other acknowledgements / thanks / greetings / information:
None
URL for advisory, signature and keys:
http://seifried.org/security/advisories/kssa-004.html
http://seifried.org/security/advisories/kssa-004.html.sig
-----BEGIN PGP PUBLIC KEY BLOCK----- mQGiBDsNcxcRBAD987JAFctBIHhuUNm5tqQgYi/CsFsx1afNI6QyHhbqPxJMF2Vs D5dymEKSNd8QSAP4GNTk9MwswwxXHuXIYJolp+U2HhD/UhQsp37WiEODMB+NX8Xc Xe5+BOUEUxaGo/du64tawslmiNw2KJDonKWaUSQBtp5ek1eQ0plTQbJ1DQCg//m4 wrYgtDl4iWdMk/76C4zbc/MD/ibshluW0pnWSDUxf00LrbMd3xAfQDPd9ACruY7z pXdbdSJctpGMgzjbC0B97uqJINmB2Uu9h62bK+eKb+eIlM+zJEth0r6PCrhr+Kj4 EpQWiiujVU8ijNbHVM9SqT2vcS9i2o2ZCjrf2bQDdI7jt1c88+DdaCvRW79BiN4P GsyCBADy8uewbArfRQl/erB6XeyVz2KDRvi5mNzM0xEWTtNkEV43pyHxXNtLzuD8 91GCHxsSL9f5JWEpcyiIiUhXNFdM3nZiGE/6/xfnKflDT7bsOdKXHXCvW1yN9aDx QoRhJhlc3mnZMyLx/xz4M6wXVj8ddOBtwgBmlFtdZjyiDHwNJLQpS3VydCBNLiBT ZWlmcmllZCAgPHNlaWZyaWVkQHNlaWZyaWVkLm9yZz6JAFQEEBECABQFAjsNcxcF CRAw7AAECwMCAQIZAQAKCRCtYwtOrVbldApoAJ9ZRUlW8cycj3/XlTVtQNx405GZ QgCg5zt7jGJ3v7FQguJgQloBGY1MACiJAEYEEBECAAYFAjsNcz8ACgkQ+7U3Ee+D x4wO6gCgnbSwZFOOiTPoYjLxu446qfvzAAoAni6CROE7jtzqZMdHJbEqDFXcreEn iQEcBBABAQAGBQI7DXNLAAoJECnUkEFIZQ2xALsH/13KyASmkFvyYCsj4hzD+UOV DMZ/3Vi8/dXqL2NpSdGbvaASNVRyGG4huJBBSh9ccjXo11IbAfOvICfjbUQmIb3w O/5mRQCiFIsakuPZWKhne5I9yVjL3ob78c4i2EvqSJ6VPFuqIrEdVCeMNU8DvjDw k8FkjF5osPoKdk2CndEnrLOXMz04Qyv6DB4O1qcmhEyVc842dqPd/eOnNGUA7qN7 axp4AiZRNRyf4/XbRt+KQzS0tItQy9LcNfQiIr2B0nYo4t+edyQbQSPBiuESYTzm TZhz0J3zxl4Tkea1GlTBxuJ6ulOFofZtDyAWABncZ9oEWgPADl15a+SCUNGvct+J AEYEEBECAAYFAjsNdHYACgkQUWd9bj7NcwaN6QCeIYLdy4G3XlFebtHiXSHc/K1/ Iw4AoNrGLQWSHat8rs74/uE8ojtzh79hiQEcBBABAQAGBQI+SDCoAAoJEIS94TDJ XfxXr0gH/ibTq3Biwpmtv5pIEF//sLfncKYuEGi2fztL63oMuyrC1znODN44orbP NJdz+oqoPOU9WR1JWnbtzDA82fJhb0AV9MCqQ1wG9WeSIFJup6SJuaW7Va35omgX z26JCeEWl9nbgpMeqYWebgd4vQ6ZAM7LfPOm8XRf56z2grpDIgaT1qGMRVUG7p2i EWjzyy8kjCZl+4VhBDXiQcLMLCM29w5emdzmCT4/BzL+4MMFOXsn+pWMF4Cbg9Cs +e3MJ2yk0ADMD4UpZmbhilQ+2cS3KgJ3pMRG+Dobs9MCvzbWYjsgs79rUK00ibSc 9Of0915WniEiKC0WNrppDJGvF9ZCPeuJAEYEEBECAAYFAj5IMLoACgkQr7mUK0l7 SWyz5QCgrcJXKBHFVxQ1X1PynDnr7q7ksWQAnR2eIIy1G4qkwWfF3N+5CQ25NeTN iQBGBBARAgAGBQI+SDDIAAoJELxuWVQQnlYhDskAnRLZ9xIUL1N/qHvmfhjoos2r xoVSAJ9eZV7EVkJLrEN8Zfv8Spg8lKu9CLQhS3VydCBTZWlmcmllZCA8a3VydEBz ZWlmcmllZC5vcmc+iQBGBBARAgAGBQI7lGHHAAoJEK1jC06tVuV0QLoAn0MjFZVz 7A+5WCr4WINPJr+lOwGXAJ9H3luSnji65kglimh5TVLFR196KbQuS3VydCBNLiBT ZWlmcmllZCA8c2VpZnJpZWRAc2VjdXJpdHlwb3J0YWwuY29tPokAUQQQEQIAEQUC Ow1zMwUJEDDsAAQLAwIBAAoJEK1jC06tVuV0524AoKUPEypUws7KmDgEibnQ6Pv5 IMhhAKDX04dFOXh4D/G+GOawsHjS9uiyPokBHAQQAQEABgUCOw1zbAAKCRAp1JBB SGUNsS1QB/wJoXMdlq5ce5Oqx4MaxgA1XY7rluXATt4cUbaNQkrsxHfWlAmI5A+5 QCITuObBcVvY6b35xrh2lEmHbEfE/NP1IxVTIcDhDCX90e98JlkSDRtNZXkIY8pD JqbkLhLqxIDOTH7ZEkT5J08twZO0+IyamyaqUpO4v5OmWAw/27xHiLAIdCMwnxy+ x+J7dPBycFtup595xwQsxzRRt8s7mDJoQshdIFqaJ7KcyRzpLcxL9D3JXsh4b5ov NcGWlVzeRoJt04F1Y8Rac7e/lW/PYnK2wM/Q1S5wlQIQJyPcc4nNYDSm6fbqc41+ 5TrHlfQNkTSotHgGiVLpeb6FJruPzGODiQBGBBARAgAGBQI7DXN/AAoJEPu1NxHv g8eMnn8AoKj71ZBA+nqkZzRDJcgNRHPVb6oCAJ0UXKCOZ2pizP7G1LieQVmSYT47 I4kARgQQEQIABgUCOw10hwAKCRBRZ31uPs1zBniRAJ4xuwG1iBqXv2fLyrZzgfxy yQVccwCg/r9lUaSqugDUv3WcekQDNmUcx2y5Ag0EOw1zGBAIAPZCV7cIfwgXcqK6 1qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXp F9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2R XscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMc fFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGN fISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7D VekyCzsAAgIIAPWYtC/lMeHUl+5AQ3bopt1Fda3Dm0nYuJeuLXsbUEZLinPsJWA0 iGYrGGb3G9MPthvTEjZGgDnKt7TjEbvs5DjuTQiNrBId1+v48FnwLs7TdBLXu8oe 2GukprIoQ05SpYo4reMZ3Z/HnQSAoye3mj6fWzMS6HC+bGHWU6mJXiXgQxzZDKQz Vb/B5OAKZO8FUAF+CbQ5Cg2zB2Sso/LJjXouLYgEj15uqjpWfPw1aJnYfO1rRwq+ 4ZqT+aY2QuxkVdDegf8nq5tFv0uySonijtLBRoIAdHWyOWrktL8k1WPCQbXxD4mu vhfo2dxErV4K4ebzIPl1u8c9mLRWeW1cfCyJAEwEGBECAAwFAjsNcxgFCRAw7AAA CgkQrWMLTq1W5XS8fACbBM5+hVPlEmpqW6gS9fLuqlGObNQAoLDgMzvf/87ElJEt PBU7khW2r9Yh =TEKv -----END PGP PUBLIC KEY BLOCK-----
Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the bulletin is not edited or changed in any way, is attributed to Kurt Seifried [email protected], and provided such reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. Kurt Seifried [email protected] is not liable for any misuse of this information by any third party.
Last updated 8/8/2002
Copyright Kurt Seifried 2002