Multiple vulnerabilities in Enomaly SpotCloud

[Sam Johnston]

Hi Enomaly,

We have discovered what appear to be a number of potentially serious vulnerabilities in SpotCloud, the Appliance Directory for SpotCloud and/or Enomaly ECP. Specifically, we have reason to believe that:

1. The SpotCloud API was released with the same signature vulnerability that affected Amazon AWS[1], with the same results (acceptance of forged requests). Reuven already effectively publicly confirmed this vulnerability in claiming that SSL would have mitigated it, however scripting languages including Python have used CERT_NONE[2] by default so an attacker may have been able to bypass and/or proxy "secure" connections. SpotCloud now uses OAuth[3].
2. Appliances in the Appliance Directory for SpotCloud[4] appear to be connected to the public Internet when launched, with a low security SSH configuration that accepts default, published, administrative passwords (e.g. root/spotcloud or spotcloud/spotcloud). If so, a remote attacker could take advantage of a race condition between launch and password change to gain full administrative access (or at a later date if the default password is unchanged by the user).
3. Enomaly ECP (previous and/or current versions) may not validate incoming web and/or API requests and if so, may be vulnerable to cross-site request forgery[5] in which an attacker could make unauthorised management requests on behalf of a user.
4. Enomaly have published the Enomaly ECP SpotCloud Edition software on the public Internet (http://dl.enomaly.com/ecpspotcloud) via posts in public forums, which may make the software more vulnerable to reverse engineering.

Other issues previously reported are believed to have been resolved, including:

1. Enomaly ECP Community Edition "vmfeed" Module Multiple Security Issues (https://secunia.com/advisories/38589/)
2. Enomaly ECP Insecure Update Mechanism (https://secunia.com/advisories/33952/)
3. Enomaly ECP Insecure Temporary File (https://secunia.com/advisories/33724/)

I trust this information will be useful in helping you protect yourselves and your users,

Kind regards,

Sam

1. http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html

2. http://docs.python.org/py3k/library/ssl.html#ssl.CERT_NONE

3. http://www.spotcloud.com/fileadmin/docs/SpotCloudProviderAPI.pdf

4. http://www.spotcloud.com/dl.44.0.html

5. http://en.wikipedia.org/wiki/Cross-site_request_forgery

-- 

Sam Johnston, Director

Australian Online Solutions Pty Ltd

[Lars Forsberg]

Enomaly takes the security of our users and their data very
seriously. Investigation of the issues reported on this forum is
under way.

While we are investigating this report to determine whether any real
risks exist, we do stress that:

1) These reported issues have resulted in absolutely no reports of any
security compromise of any kind affecting any SpotCloud or Enomaly ECP
users; and

2) Ethical practice for security vulnerability reporting calls for
private notification of the vendor first, in order that any
vulnerabilities may be addressed prior to publication of details that
could enable an attacker to cause harm. We regret that this was not
done in this case, and we call on anyone who believes they have
identified any security issue in any Enomaly product to contact us
first, via secu...@enomaly.com.

Updates will be provided should any of these issues require any action
on the part of our users.

Thanks,
The Enomaly Team

On Mar 21, 9:44 pm, Sam Johnston <sam.johns...@aos.net.au> wrote:
> Hi Enomaly,
>
> We have discovered what appear to be a number of potentially serious
> vulnerabilities in SpotCloud, the Appliance Directory for SpotCloud and/or
> Enomaly ECP. Specifically, we have reason to believe that:
>

>    1. The SpotCloud API was released with the same signature vulnerability

>    that affected Amazon AWS[1], with the same results (acceptance of forged
>    requests). Reuven already effectively publicly confirmed this vulnerability
>    in claiming that SSL would have mitigated it, however scripting languages
>    including Python have used CERT_NONE[2] by default so an attacker may have
>    been able to bypass and/or proxy "secure" connections. SpotCloud now uses
>    OAuth[3].

>    2. Appliances in the Appliance Directory for SpotCloud[4] appear to be

>    connected to the public Internet when launched, with a low security SSH
>    configuration that accepts default, published, administrative passwords
>    (e.g. root/spotcloud or spotcloud/spotcloud). If so, a remote attacker could
>    take advantage of a race condition between launch and password change to
>    gain full administrative access (or at a later date if the default password
>    is unchanged by the user).

>    3. Enomaly ECP (previous and/or current versions) may not validate

>    incoming web and/or API requests and if so, may be vulnerable to cross-site
>    request forgery[5] in which an attacker could make unauthorised management
>    requests on behalf of a user.

>    4. Enomaly have published the Enomaly ECP SpotCloud Edition software on

>    the public Internet (http://dl.enomaly.com/ecpspotcloud) via posts in public
>    forums, which may make the software more vulnerable to reverse engineering.
>
> Other issues previously reported are believed to have been resolved,
> including:
>

>    1. Enomaly ECP Community Edition "vmfeed" Module Multiple Security Issues
>    (https://secunia.com/advisories/38589/)
>    2. Enomaly ECP Insecure Update Mechanism
>    (https://secunia.com/advisories/33952/)
>    3. Enomaly ECP Insecure Temporary File

>    (https://secunia.com/advisories/33724/)
>
> I trust this information will be useful in helping you protect yourselves
> and your users,
>
> Kind regards,
>
> Sam
>

> 1.http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is...
> 2.http://docs.python.org/py3k/library/ssl.html#ssl.CERT_NONE
> 3.http://www.spotcloud.com/fileadmin/docs/SpotCloudProviderAPI.pdf
> 4.http://www.spotcloud.com/dl.44.0.html
> 5.http://en.wikipedia.org/wiki/Cross-site_request_forgery