Several serious theoretical and practical security vulnerabilities, alleged GPL license violations, and more were found in Astaro "secure" Linux. Joerg Luebbert writes, "Some of the vulnerabilities might be local and some might argue about that Astaro Security Linux is a Firewall and no server... but as it uses SSHD it could always be that the "loginuser" account might have been compromised and shell access granted.". . .
Several serious theoretical and practical security vulnerabilities, alleged GPL license violations, and more were found in Astaro "secure" Linux. Joerg Luebbert writes, "Some of the vulnerabilities might be local and some might argue about that Astaro Security Linux is a Firewall and no server... but as it uses SSHD it could always be that the "loginuser" account might have been compromised and shell access granted."

Date: Sat, 02 Feb 2002 19:40:08 +0100
From: "[ISO-8859-1] Jörg Lübbert"
To: bugtraq@securityfocus.com
Subject: Vulnerabilities in Astaro Security Linux 2.016

Preamble:

Product: Astaro Security Linux

Version: 2.016

Vendor: Astaro AG

Vendor URL:

Vendor status and reply: Vendor has been contacted with posting of this message

Description:
Astaro develops and distributes the firewall solution Astaro Security Linux. Astaro Security Linux offers extensive protection for local networks against hackers, viruses and other risks of connecting to the Internet. Astaro Security Linux is distributed by a worldwide network of partners who offer local support regarding installation and maintenance. Introduction:
Dear BugTraq readers. I've taken a short glimpse on Astaro Security Linux and found out some points of interest that are mostly design flaws. Please note that I am theorising (based on a 1 1/2 hour research only) about the impacts and have not proven their concepts on Astaro Security Linux yet even though most can be proved easily.

Some of the vulnerabilities might be local and some might argue about that Astaro Security Linux is a Firewall and no server... but as it uses SSHD it could always be that the "loginuser" account might have been compromised and shell access granted.

Vulnerabilities:

Summary:
5 Design flaws
2 Completely theorised design flaws
1 Possible design flaw
1 Licensing violation
1 Software bug

Category 1: Design flaw

Problem 1:
Astaro Security Linux chroots various daemons like snmpd and named in an insecure manner. The proc filesystem is mounted within their chroot jails. Furthermore the chroot jail entitled chroot-ipsec provides the proc file system, a bash, ls, cat and most notably mount.

Impact 1:
Arbitrary users could cause severe damage by breaking the named or snmpd remotely and by misusing the proc file system to reconfigure certain parts of the system configuration under proc/sys. Furthermore proc/kcore could be read to obtain information stored in memory which could lead to system administrator privileges. These could for instance be DES encrypted passwords which leads to another design flaw Exploit 1: None provided

Category 2: Design flaw

Problem 2:
Astaro Security Linux uses the DES algorithm as standard hashing scheme. DES has turned very old and is known to be easily crackable with modern processing power.

Impact 2:
Arbitrary users who obtain encrypted passwords (see 1) could retreive a 6 letter clear-text password within just some hours using modern processing power and use it to compromise the system.

Exploit 2: None provided

Category 3: Design flaw

Problem 3:
Astaro Security Linux runs most of its daemons with UID 0 privileges. Affected daemons are: named or snmpd. These daemons run in a chroot jail. Impact 3:
Arbitrary users could remotely crack one of the affected daemons and use UID 0 powers to compromise the whole file system even if these daemons run in a chroot jail. Additional note 3-1:
The main design flaw lies within that these daemons run UID 0 within a chroot jail. The daemons itself are not the design flaw (even though BIND 8.2.3 can be considered old). Additional note 3-2:
Other daemons with UID 0 are syslogd, klogd, mdw_daemon.pl, cron, aua and sshd. VPN subsystem, SQUID and others haven't been checked by me. Exploit 3: None provided

Category 4: Possible design flaw

Problem 4:
OpenSSL PRNG Internal State Disclosure Vulnerability

Impact 4:
Please see:

Exploit 4: None provided

Additional note 4:
It was NOT tested if the version of OpenSSL (0.9.6) used in Astaro Security Linux is a security-patched version of OpenSSL 0.9.6 since no sources were provided (5)

Category 5: Licensing violation

Problem 5:
Astaro AG releases software packages without providing their sources and modifications to them as required in §3 of the GNU GPL and neither seems to offer distribution of GPL sources for free within a 3 year period in a written form. Additional note 5:
I have not checked every available documentation for a written form of an offer as described in GNU GPL §3 b but only their license (which should normally contain just that) and CD-ROM contents.

Category 6: Design flaw

Problem 6:
Astaro Security Linux has a default limit for simultaneously processes of 8190 soft and 8912 hard and its default cpu-time is "unlimited". Impact 6:
Arbitrary users with local access (loginuser) can easily launch fork bombs to consume 100% CPU power and stop the system from operating. Exploit 6: None provided

Category 7: Completely theorised design flaw

Problem 7:
Astaro Security Linux uses a very old version of PAM (0.70 dated 09.10.1999) which maybe contains vulnerabilities.

Category 8: Design flaw

Problem 8:
/proc/version indicates "Linux version 2.4.8-asl-0.010815.0", which indicates the 2.4.8 version of the Linux kernel that contains some security vulnerabilities. Additional information on possible vulnerabilities can be found here:




Impact 8: Various, see above URLs.

Exploit 8: None provided

Additional note 8:
Due to absence of source code it could not be proved if this kernel is patched against the security issues mentioned above.

Category 9: Completely theorised design flaw

Problem 9:
Astaro Security Linux seems to rely on an old version of glibc according to ls -l /lib/libc*. 
 Output: -rwxr-xr-x   1 root     root      1080268 Sep 15  2000 libc.so.6
If my assumption is correct and the version used was not patched, it could be possible that the system is vulnerable to a "glibc file globbing heap corruption vulnerability". For more information please see: Impact 9: See URL above

Exploit 9: None provided

Category 10: Software bug (OT for Bugtraq, still included ;)

Problem 10: During installation one can choose to install OpenSource software only or OpenSource software and the so called Astaro Security Enterprise Toolkit. When only "OpenSource" was chosen, the installer locks up after entry of the last password (I think this was for lilo). If my assumption is right (that a lilo password is asked for) then no lilo password will be set even though the Enterprise Toolkit was selected and the installation finished successfully.

Additional note 10:
System tested on was 800MHZ Duron, 128MB RAM, 20GB Maxtor HD, 52X CD-ROM, 3X RTL 8139.

Final words:

Conclusion, a final word to the Astaro AG:
So much about a "Security Linux"... You may have done the firewalling and the configuration interface of your product real good... but you should also read some articles on what could be considered more internal security and work on your products some more.

Disclaimer:
None of the information provided are meant to aid any destructive purposes. I will furthermore take no responsibility for that anyone will use the information provided for his or her own malicious purposes. This information is intended to aid in improving the current state of Astaro Security Linux, warn companies and individuals who run Astaro Security Linux and should help other designers of Linux distributions to avoid flaws like the ones elaborated on above. Please also not that I am in no way affiliated with Astaro AG or any of their 3rd party affiliates or want to harm Astaro AG and/or their customers.

- Jörg Lübbert (aka Kaladis)

--
Kaladix Linux - The Secure Linux Distribution
URL: