SpotCloud Security Response
54 views
Skip to first unread message
Lars Forsberg
Mar 22, 2011, 1:34:42 PM3/22/11
to SpotCloud Buyers
Detailed technical response to report of security issues in SpotCloud:
Issue #1:
REPORT: "The SpotCloud API was released with the same signature
vulnerability that affected Amazon AWS, with the same results
(acceptance of forged requests). Reuven already effectively publicly
confirmed this vulnerability in claiming that SSL would have mitigated
it, however scripting languages including Python have used CERT_NONE
by default so an attacker may have been able to bypass and/or proxy
"secure" connections. SpotCloud now uses OAuth."
RESPONSE: This issue is not valid. For this vulnerability to be
present, user-provided data would have to be passed through the
SpotCloud API to the REST interfaces of connected providers. No such
data is passed by SpotCloud. (Relevant background to this issue as it
affected Amazon AWS is here: http://rdist.root.org/2009/05/20/amazon-web-services-signature-vulnerability).
Additionally, for this issue to be present the provider API would have
to accept unexpected (i.e. user-injected) input parameters, which ECP
does not. ECP rejects API requests with extraneous parameters.
Additionally, the ECP REST API is never used with this auth method
from the ECP interface, so it is not vulnerable to MITM/replay attacks
(REST api calls are all done over SSL with certificate validation).
Note also that this auth method was implemented as a workaround to a
bug in GAE where certificates were not correctly validated. This bug
was fixed by Google earlier just this month, which provides an
additional level of protection over and above the auth API.
Issue #2:
REPORT: "Appliances in the Appliance Directory for SpotCloud appear to
be connected to the public Internet when launched, with a low security
SSH configuration that accepts default, published, administrative
passwords (e.g. root/spotcloud or spotcloud/spotcloud). If so, a
remote attacker could take advantage of a race condition between
launch and password change to gain full administrative access (or at a
later date if the default password is unchanged by the user)."
RESPONSE: This issue is theoretically valid but extremely difficult to
exploit, and does not represent a significant exposure. Users can
provision their own, well-secured appliances with their own selected
access mechanisms and credentials. Alternatively, users can also
choose to deploy a prebuilt appliance from the SpotCloud directory. A
user who chooses the latter will start the appliance on any one of
hundreds of cloud providers, and at a provider-determined IP address.
Only the user is provided with the appliance IP address when it is
started. The only way an attacker could access the appliance and log
on before the user does would be by continuous random scanning of the
IP space of all connected providers. Users for whom this is a concern
can simply tailor their appliances with unique credentials and access
mechanisms prior to deployment.
Issue #3:
REPORT: "Enomaly ECP (previous and/or current versions) may not
validate incoming web and/or API requests and if so, may be vulnerable
to cross-site request forgery in which an attacker could make
unauthorised management requests on behalf of a user."
RESPONSE: Indeterminate, as this report is unactionably vague. The
statement that the Enomaly ECP or SpotCloud products "may not"
sufficiently validate certain input and "may" contain an XSRF
vulnerability does not comprise a vulnerability. Enomaly has
requested additional details if any are available, and will update
should any valid report be received.
Issue #4:
REPORT: "Enomaly have published the Enomaly ECP SpotCloud Edition
software on the public Internet (http://dl.enomaly.com/ecpspotcloud)
via posts in public forums, which may make the software more
vulnerable to reverse
engineering."
RESPONSE: This report is not valid. Enomaly ECP SpotCloud Edition is
freely downloadable. This does not comprise a vulnerability.
Issue #1:
REPORT: "The SpotCloud API was released with the same signature
vulnerability that affected Amazon AWS, with the same results
(acceptance of forged requests). Reuven already effectively publicly
confirmed this vulnerability in claiming that SSL would have mitigated
it, however scripting languages including Python have used CERT_NONE
by default so an attacker may have been able to bypass and/or proxy
"secure" connections. SpotCloud now uses OAuth."
RESPONSE: This issue is not valid. For this vulnerability to be
present, user-provided data would have to be passed through the
SpotCloud API to the REST interfaces of connected providers. No such
data is passed by SpotCloud. (Relevant background to this issue as it
affected Amazon AWS is here: http://rdist.root.org/2009/05/20/amazon-web-services-signature-vulnerability).
Additionally, for this issue to be present the provider API would have
to accept unexpected (i.e. user-injected) input parameters, which ECP
does not. ECP rejects API requests with extraneous parameters.
Additionally, the ECP REST API is never used with this auth method
from the ECP interface, so it is not vulnerable to MITM/replay attacks
(REST api calls are all done over SSL with certificate validation).
Note also that this auth method was implemented as a workaround to a
bug in GAE where certificates were not correctly validated. This bug
was fixed by Google earlier just this month, which provides an
additional level of protection over and above the auth API.
Issue #2:
REPORT: "Appliances in the Appliance Directory for SpotCloud appear to
be connected to the public Internet when launched, with a low security
SSH configuration that accepts default, published, administrative
passwords (e.g. root/spotcloud or spotcloud/spotcloud). If so, a
remote attacker could take advantage of a race condition between
launch and password change to gain full administrative access (or at a
later date if the default password is unchanged by the user)."
RESPONSE: This issue is theoretically valid but extremely difficult to
exploit, and does not represent a significant exposure. Users can
provision their own, well-secured appliances with their own selected
access mechanisms and credentials. Alternatively, users can also
choose to deploy a prebuilt appliance from the SpotCloud directory. A
user who chooses the latter will start the appliance on any one of
hundreds of cloud providers, and at a provider-determined IP address.
Only the user is provided with the appliance IP address when it is
started. The only way an attacker could access the appliance and log
on before the user does would be by continuous random scanning of the
IP space of all connected providers. Users for whom this is a concern
can simply tailor their appliances with unique credentials and access
mechanisms prior to deployment.
Issue #3:
REPORT: "Enomaly ECP (previous and/or current versions) may not
validate incoming web and/or API requests and if so, may be vulnerable
to cross-site request forgery in which an attacker could make
unauthorised management requests on behalf of a user."
RESPONSE: Indeterminate, as this report is unactionably vague. The
statement that the Enomaly ECP or SpotCloud products "may not"
sufficiently validate certain input and "may" contain an XSRF
vulnerability does not comprise a vulnerability. Enomaly has
requested additional details if any are available, and will update
should any valid report be received.
Issue #4:
REPORT: "Enomaly have published the Enomaly ECP SpotCloud Edition
software on the public Internet (http://dl.enomaly.com/ecpspotcloud)
via posts in public forums, which may make the software more
vulnerable to reverse
engineering."
RESPONSE: This report is not valid. Enomaly ECP SpotCloud Edition is
freely downloadable. This does not comprise a vulnerability.
Reply all
Reply to author
Forward
0 new messages