CVE-2008-4990: Enomaly ECP insecure temporary file creation vulnerabilitiesWhile claiming it to be the fruit of a vendetta 'fueled on a potent mix of rage and red bull', he downplayed the vulnerability as 'relatively minor', exhibiting a stunning display of cluelessness and blatant disregard for Enomaly ECP's users' safety (assuming they actually have any). Furthermore, saying that it 'should not effect anyone with decent dom0 access rules' is like a safe manufacturer claiming that it's ok if their safes have a default '12345' code (while publishing that code) because people should be locking their doors and windows anyway. Let's be clear; vulnerabilities like this are extremely serious even when there are no local users, as a flaw in any system (like the Moodle vulnerability a few weeks back) can be turned into an absolute nightmare by an attacker, who would be able to overwrite arbitrary files and send 'kill' signals to arbitrary processes, with root privileges.
Synopsis
All versions of Enomaly ECP/Enomalism use temporary files in an insecure
manner, allowing for symlink and command injection attacks.
2. Impact Information
Background
Enomaly ECP (formerly Enomalism) is management software for virtual machines.
Description
Sam Johnston of Australian Online Solutions reported that enomalism2.sh uses
the /tmp/enomalism2.pid temporary file in an insecure manner.
Impact
A local attacker could perform a symlink attack to overwrite arbitrary files
on the system with root privileges, or inject arguments to the 'kill' command
to terminate or send arbitrary signals to any process(es) as root.
Exploits
a. ln -s /tmp/target /tmp/enomalism2.pid
b. echo "-9 1" > /tmp/enomalism2.pid
I hate to disappoint, but the vulnerability was discovered purely by accident while (unsuccessfully) trying to make the software work for the (since abandoned) freenomalism fork. When viewing the startup script (enomalism2.sh) the flaw stands out like a dog's crown jewels, in the third define and before the first line of active code. No doubt there are many others if this chestnut is sitting 3 lines in, so until such time as the company develops an interest in securing their products anyone using them in production needs to have their head examined. Security is of paramount importance in a virtualised environment where a myriad untrusted applications run alongside each other on common hardware.
Fortunately the one-line fix for those of us who do care about security is trivial:
22c22Anyway, so long as Enomaly persist with doing more damage than good to the cloud computing revolution (for example, by running closed 'interoperability' forums, convincing others to write a hopelessly biased book for them - and O'Reilly to publish it, bashing anything that doesn't fit their own limited view of the world, etc.) I'll continue to have very little positive to say about them.
< PIDFILE=/tmp/enomalism2.pid
---
> PIDFILE=/var/run/enomalism2.pid
Update: InfoWorld apparently didn't do much research before writing 'Startup Of The Week: Enomaly'. "There are about 15,000 users of Enomaly's platform" *cough*BS*cough* - I haven't been able to find one production user (nor get any of its releases working at all for that matter) and their ~150 user community is choked with spam (yes, that's a full 2 orders of magnitude embellishment!). They did get this right though: "Potential customers should try before they buy. Download its free software first, then sign an enterprise license if all goes well". Don't forget to patch it too - three weeks have passed since they were notified of this critical vulnerability and still nothing except this lame attempt to make me look like an idiot for finding it - apparently they're too busy talking abroad to put the fires out at home. Class act Reuven; did you learn how to behave like a child from your ex-employee?
Sam, have you seen the comments on Reuven's post? In them, he responded to a comment of mine by saying that Khaz is no longer an employee of Enomaly and that he (Reuven) has also been banned from the Cloud Computing Google Group. This doesn't address your vaporware or security concerns about Enomaly ECP, but it's still interesting.
ReplyDeleteYeah, Reuven said "[Khazret Sapenov] is no longer a(sic) employee of Enomaly" in a mail last month and I see he has since rather deviously updated his LinkedIn profile to say he was Director of R&D at eNom in place of Enomaly as was previously the case (same title, start date, etc.).
ReplyDeleteReuven implied (confirmed?) that he was actually fired in his comment ("[his] reason for being banned was far more obvious") so given he's still active in the community (or at least the offending group) despite having ruffled plenty of feathers it will be interesting to see where he pops up next.
Anyway, it's all well and good for Reuven to arms-length Khaz now, but let's not forget that they worked together at Enomaly for over 3 years according to LinkedIn and he and his peons still recommend "Khaz [as] the ideal open source Software Development Leader and a key asset at Enomaly".
Finally, yes you're right in that my vaporware and security concerns remain, but with Reuven too busy off gallavanting around the globe I've all but given up hope that anything interesting will ever come out of Enomaly. That is unless they do somehow manage to convince one of the many VCs plaguing them that they're a worthwhile investment (good luck with that).
Cheers,
Sam
I was good friends with a guy throughout most of college. Shortly after I graduated, we started a company together. Everything seemed great at first, but he ended up taking advantage of our friendship and screwing me over. It was a painful experience, but it helped me learn that even if things start out great, they can turn sour over time.
ReplyDeleteBy the way, is it possible to delete/retract a recommendation on LinkedIn once you've submitted it? I looked through the interface and couldn't find a way to do it. That's not a perfect excuse for Reuven, but it's worth keeping in mind.
There are indeed far more people out there seeking to take advantage of others than there are people worth taking advantage of, and it is often exceedingly difficult to distinguish between the two groups (especially when the former prefers to pose as the latter).
ReplyDeleteOh and for sure it's possible to withdraw, on the Manage Recommendations page.
Those crazy canucks are useless douchebags so don't waste your time on them. I saw them recently down here and the main guy's a pompous ass - if they were ever going to do anything interesting they'd have done it long ago...
ReplyDeleteHow about some more on the new Microsoft stuff - my boss is an MS junkie so could be our only opportunity to get some cloud computing stuff up and running, at least while he's still around.
Thanks.