Disk Enclosures
1747993 Members
5368 Online
108756 Solutions
New Discussion юеВ

Command View SDM security concerns

 
SOLVED
Go to solution
Aaron Nienhuis
Senior Member

Command View SDM security concerns

We recently purchased a couple VA7400s with HP15 firmware and Command View SDM 1.04. I installed the CV SDM hostagent, client and server components on an HPUX 11.0 system that is attached to the same SAN as the VA7400s. After installation, I noticed that the CLI commands and the GUI launcher command were world executable. Just for fun, I decided to try to run one of the commands as an unprivileged user, and was shocked when the command actually worked! In fact, an unprivileged user can successfully execute all VA administrative commands with the exception of Secure Manager commands. This means that any user can add, change, and delete LUNs, and even format the entire array! Since the Secure Manager commands have an additional password, an unprivileged user is not able to change the host access privileges on LUNs, but they can delete them entirely.

Merely, removing the world execute bit from the files (as the HP Response Center suggested) does not correct the problem, because unprivileged users can still copy the files into their home directories and successfully execute the commands. Restricting the entire /opt/sanmgr directory structure down so it is only root readable/executable is still not a fix, because an unprivileged user only needs to get the files from somewhere else (like HPs public web site), install them in their home directory, and away they go.

This vulnerability can also exploited remotely by any host allowed access (via the access.dat file) to a server running the CV SDM hostagent. If wildcards are used in the access.dat file (as suggested in the CV SDM users guide), any host in the wildcard subnet can administer the VA arrays. I have confirmed that this vulnerability exists in CV SDM 1.04 on HPUX 11.0, HPUX 11.11, and Red Hat Linux 7.2.

We first reported this issue to HP almost two months ago, and have been told that even though they agree that security is an important issue, fixing this vulnerability is a lower priority than adding features that customers really want. At this point they're hoping to fix this issue by the end of the year or first part of next. When we asked HP if customers would be notified about this vulnerability, they said that they assumed that most customers were already aware of the vulnerability and just weren't as concerned as we were.

Are we the only ones concerned about this issue? Don't get me wrong, CV SDM is not exactly feature rich, and could definitely use some enhancements, but what good is managing your storage if you can't secure it first? Please let me know if anyone else is concerned about this vulnerability, or if you have questions about what I've found.

Aaron
2 REPLIES 2
Madis Tuulparg
Advisor
Solution

Re: Command View SDM security concerns

Our company has purchased VA7410 and I also found this security issue. We are running command view on Windows 2000 platform. I was experimenting with web access and found that from allowed IP you can do anything with LUNs, but not with Secure Manager. Only Secure Manager needs authentication (password). So I am also very concerned about this issue.
Aaron Nienhuis
Senior Member

Re: Command View SDM security concerns

Wow! I can't believe it took 10 months before someone else realized they have a serious security issue if running Command View SDM. I wish I could tell you how much progress HP has made on these issues over the last 10 months, but unfortunately there has been very little.

We actually had the product manager for Command View SDM come to our site so we could explain to him the security flaws in the application, but as of CV SDM 1.06 there has been no change. Actually, the one change HP made is that CV SDM is no longer available on the public web site, which isn't exactly the solution I was looking for.

For now, the best way to secure the product is to install CV SDM on a system with only administrator access. Definately disable the web server, and make sure you don't have any wildcards in the access.dat file. Also, make sure any LUNs that have config priviledges are specifically assigned to the management server. Otherwise, any other system on the SAN could be used to manage the array as well.

In my opinion, these security issues are so basic and severe that this software never should have made it out of the development lab, let alone be in production for almost 2 years!

Thanks for replying, please let me know if you make any progress with HP.

Aaron