[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: [arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue]

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Fwd: [arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue]
From: Maciej Bogucki <maciej.bogucki@xxxxxxxxxxxxx>
Date: Wed, 23 Feb 2005 17:40:50 +0100

--- Begin Message ---

To: arkeia-userlist@xxxxxxxxxx, arkeia-announce@xxxxxxxxxx
Subject: [arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue
From: Arnaud Spicht <aspicht@xxxxxxxxxx>
Date: Tue, 22 Feb 2005 15:48:53 -0800

Arkeia annouces the release of Arkeia Network Backup 5.3.5.
This release fixes a buffer overflow bug described in bugtraq id 12594.
This bug could allow a remote attacker to execute arbitrary code
remotely, and such get root access to the machine.
If you are in a trusted private lan environment, you don't need to
upgrade.
However, if you are using Arkeia in an untrusted environment, it is
strongly advised to upgrade to this version.
The bug is in the arkeiad daemon process. So you have to upgrade all the
sensitive client machines.
You can get this new version for all client packages trough our ftp
site:
ftp://ftp.arkeia.com/pub/arkeia5.3/arkeia-network-backup

It is also strongly advised to read the Arkeia User Manual "Appendix B: System Security" to secure Arkeia against system-level intrusion.

Here is the appendix:


APPENDIX B: System Security
---------------------------
This appendix describes what you need to do to secure Arkeia 5 against
system-level intrusion. If you are looking for information about data
security, or how to encrypt the data Arkeia puts onto backup tapes,
please see these references:
 - Define options for the savepack on page 84;
 - encryption configuration on page 168.

B.1. Client Security
--------------------
To achieve the best security on an Arkeia client computer, you need to
prevent:
 - the client from being used as a server,
 - access to the client from non-authorized backup servers, and
 - access to configuration files.
This section explains how to secure an Arkeia client.

Deny server functions on a client
---------------------------------
Arkeia 5 consists of three main functional packages:
 - backup server,
 - client, and
 - graphical interface.
To simplify installation, all three packages are installed every time.
When the installation is on a platform which can be either an Arkeia
server or client, there is a risk that an intruder who hacks into the
client computer could turn into a backup server.

To prevent this you can deny access to the server functions on a client
computer in the authorization configuration files (auth_ files).
Auth_ files are named using this convention:
$ARKEIA_DIR/arkeiad/auth_<PROCESS_NAME>.cfg

To deny access to a process, change the active line in the authorization
configuration file from ALLOW to DENY:
<PROCESS_NAME>.*        DENY    *       *

For example:
ARKBKP.*        DENY    *       *

The server auth_ files to change to DENY are:
 a. auth_ARKBKP (Backup)
 b. auth.ARKDUP (Tape duplication)
 c. auth.ARKLIB (Tape library management)
 d. auth_ARKNAV (Navigation)
 e. auth_ARKRST (Restoration)
 f. auth_ARKTRANS (Transaction)

Secure access to clients
------------------------
On most networks, it is advisable to deny backup access to clients,
except from the intended Arkeia server (or servers).
This is also done in the auth_ files.
The format to restrict access to a given backup server is:

<PROCESS_NAME>.* ALLOW <backup_server_FQDN> *

For example:
ARKADMIN.*      ALLOW   mercury.arkeia.com      *

The client auth_ files to change are:
  a. auth_ARKADMIN (Client administration)
  b. auth_ARKFS (client backup, restore, navigation)

Plug-ins
--------
Plug-ins are generally forked by the local client, but it is also
advisable to restrict access to the local computer.
The format to limit access is:

ARKP<PLUGIN>.* ALLOW <local computer FQDN> *

For example:
ARKPMYSQL.*     ALLOW   mercury.arkeia.com      *

Further access limitation
-------------------------
You can further tighten client access by requiring a connection on a
reserved port, and using a root account. The format to limit access is:

<PROCESS_NAME>.* ALLOW <backup server FQDN>[1] root

For example:
ARKADMIN.*      ALLOW   mercury.arkeia.com[1]   root

Secure configuration files
--------------------------
Various Arkeia configuration files contain information such as
passwords and encryption keys, which should be restricted to prevent
unauthorized access.
The best way to do this is to make these files root read-only.
In a shell, run the following command:

# chmod 600 <filename>

The files to restrict are:
 a. $ARKEIA_DIR/arkc/arkc.param
 b. $HOME/.arkc/arkc.param
 c. $ARKEIA_DIR/arkobk.param (RMAN agent installed)
 d. $ARKEIA_DIR/arkeiad/cryptree.ark
 e. $ARKEIA_DIR/arkeiad/admin.cfg
 f. $ARKEIA_DIR/arkeiad/AUTH_*.cfg
 f. $ARKEIA_DIR/arkeiad/PROXY_*.cfg
 h. path-to/<global encryption file>


B.2 Server Security
-------------------
To achieve the best security in an Arkeia Server,
 - restrict access to the Arkeia backup server functions from remote
   computers,
 - reserve sensitive operations such as backup creation for an Arkeia
   Administrator role, leaving daily operations to an Arkeia Operator
   role,
 - secure the server configuration files, and
 - secure by encryption the data stream between the Arkeia server and
   clients.

Secure access
-------------
You are able to manage backups and restores from any computer on the
network.
As backup administrator, you would normally do this from the server
computer, or your own computer, so it is advisable to restrict Arkeia
backup control to these computers.
On a Arkeia server, you can control access through the auth_ files, in
the same way you controlled access to Arkeia clients.
The format to limit access is:

<PROCESS_NAME>.* ALLOW <listof allowed hosts> *

For example:
ARKADMIN.*      ALLOW   mercury.arkeia.com|earth.arkeia.com     *

Note that each allowed host FQDN is separated by a "|" (verticle broken
bar).

The server process authorization configuration files in which to list
the authorized hosts are:
 a. auth_ARKBKP (Backup)
 b. auth.ARKDUP (Tape duplication)
 c. auth.ARKLIB (Tape library management)
 d. auth_ARKNAV (Navigation)
 e. auth_ARKRST (Restoration)
 f. auth_ARKTRANS (Transaction)

Roles
-----
Once you have configured Arkeia to work the way you want it to,
changes to the configuration will be very rare.
It is advisable to create an account with OPERATOR and USER permissions
for the daily management of backups and restorations.

Secure configuration files
--------------------------
For the same reasons as client configuration files, server configuration
files should be restricted to prevent unauthorized access. The best way
to do this is to make these files root read-only.
In a shell, run the following command:

# chmod 600 <filename>

The files to restrict are:
 a. $ARKEIA_DIR/arkc/arkc.param
 b. $HOME/.arkc/arkc.param
 c. $ARKEIA_DIR/arkobk.param (RMAN agent installed)
 d. $ARKEIA_DIR/arkeiad/cryptree.ark
 e. $ARKEIA_DIR/arkeiad/admin.cfg
 f. $ARKEIA_DIR/arkeiad/AUTH_*.cfg
 f. $ARKEIA_DIR/arkeiad/PROXY_*.cfg
 h. path-to/<global encryption file>
 i. $ARKEIA_DIR/server/dbase/f3sec/*

Port forwarding
---------------
By default, communications between Arkeia backup server and Arkeia
backup client is unencrypted.
You can use SSH to secure the data stream between the server and the
client. On the server computer, enter this command as root:

# ssh -g -L 617:<backup_server_hostname>:619 <client_hostname>

When Arkeia connects to port 617 on a client, the data is forwarded over
the secure channel to client_hostname, port 619.
You must change the Arkeia backup client to 619, see Arkeia daemon
management on page 160 of Arkeia User manual for instructions on how to
do this.

For example:
# ssh -g -L 617:earth.arkeia.com:619 mercury.arkeia.com

Data will now pass by an encrypted channel between port 61 on the backup
server earth.arkeia.com and port 619 on the client mercury.arkeia.com

If you want to apply this setting automatically when the server computer
is booted, add the above command to the file /etc/ssh/ssh_config


--
Arnaud Spicht, CTO
Arkeia Corp                                    Arkeia SA
1808 Aston Avenue, Suite 220                   41 rue Delizy
Carlsbad, CA 92008                             93692 Pantin Cedex
USA                                            France
Tel: (760) 431.1319 x2004                      Tel: +33 (0)1 48 10 89 89
Fax: (760) 602.8599                            Fax: +33 (0)1 48 10 89 90
http://www.arkeia.com
________________________________________________________________________
This email message is for the sole use of the intended recipient(s) and
may contain confidential information or information belonging to Arkeia
Corp. The unauthorized disclosure, use, dissemination or copying (either
whole or partial) of this e-mail, or any information it contains, is
prohibited.
If you are not the intended recipient of this e-mail, please delete it
immediately from your system and notify the sender of the wrong delivery
by reply email. Thank you.

___________________________________________________
This read-only mailing-list is used for announcements about Arkeia (new
releases, bug fixes, etc...) If you wish to modify your subscription or if
you want to subscribe to other Arkeia mailing-lists, please, go to:
http://www.arkeia.com/arkeialists.html
____________________________________________________

--- End Message ---

Prev by Date: Release of Arkeia Network Backup 5.3.5 fixes security issue [bugtraq id 12594]
Next by Date: Office 10 applications & flashdrives can be used to browse restricted drives
Previous by thread: Release of Arkeia Network Backup 5.3.5 fixes security issue [bugtraq id 12594]
Next by thread: Office 10 applications & flashdrives can be used to browse restricted drives
Index(es):
- Date
- Thread