Template Security Security Advisory
-----------------------------------
BlueCat Networks Adonis Linux-HA heartbeat DoS Vulnerability
Date: 2007-07-29
Advisory ID: TS-2007-001-0
Vendor: BlueCat Networks, http://www.bluecatnetworks.com/
Revision: 0
Contents
--------
Summary
Software Version
Details
Impact
Exploit
Workarounds
Obtaining Patched Software
Credits
Revision History
Summary
-------
Template Security has discovered a serious Denial of Service
(DoS) vulnerability in the BlueCat Networks Adonis DNS/DHCP
Appliance. When XHA is configured to place two Adonis
servers in an active-passive pair to provide high
availability, a remote attacker can transmit a single UDP
datagram to crash the heartbeat control process. This can
be used for example to create an active/active condition in
the cluster pair.
Software Version
----------------
Adonis version 5.0.2.8 was tested, and XHA was configured
using the Proteus IPAM appliance. It is possible any version
of Adonis using heartbeat version 1.2.4 or earlier is
vulnerable.
Details
-------
XHA on Adonis uses the heartbeat software from the Linux-HA
project (http://www.linux-ha.org/). On the version of
Adonis we tested, heartbeat version 1.2.3 is used. This
version is vulnerable to a well-known remote DoS attack
which was announced on 2006-08-13:
http://www.linux-ha.org/_cache/SecurityIssues__sec03.txt
Impact
------
Successful exploitation of the vulnerability will result in
a DoS condition affecting critical DNS and DHCP services.
Exploit
-------
In this example the XHA cluster is composed of:
node-1: 192.168.1.12
node-2: 192.168.1.13
VIP: 192.168.1.11
A remote attacker can perform the following to crash the
heartbeat control process on node-1:
$ perl -e 'print "###\n2147483647heart attack:%%%\n"' |
nc -u 192.168.1.12 694
If node-1 is the active node in the cluster, node-2 will
take over the VIP and the cluster will be in an
active/active condition. Other scenarios are possible, such
as crashing the control process on the passive node to
prevent it from being able to assume the active role in a
failure condition.
Note that the iptables configuration on Adonis does not
block packets to 694/udp; there is an explicit policy to
permit port 694/udp from any to any in the INPUT and OUTPUT
chain. To verify this, you can login as root on the
appliance and view the firewall configuration script:
# grep 694 /usr/local/bluecat/doFirewall
iptables -A INPUT -p udp --dport 694 -j ACCEPT
iptables -A OUTPUT -p udp --dport 694 -j ACCEPT
$IP6TABLES -A INPUT -p udp --dport 694 -j ACCEPT
$IP6TABLES -A OUTPUT -p udp --dport 694 -j ACCEPT
Workarounds
-----------
The attack can be prevented by blocking packets to 694/udp.
This can be performed at a firewall and by modifying the
iptables configuration on the Adonis appliances.
Appropriate anti-spoofing policies must also be in place,
because an attacker can spoof the source IP address in the
UDP datagram.
When XHA was configured, iptables rules were configured in
/usr/local/bluecat/firewall_rules/localHAFirewallConfig to
permit 694/udp to and from the peer node on each appliance.
However, these rules have no effect due to the rules
mentioned above. And they are also incorrect because they
specify source port 694/udp, and the heartbeat packets we
observed do not use a fixed source port.
One possible workaround which may be used to temporarily
prevent the attack is to comment out the 694/udp rules in
the firewall startup script then repair the rules in
localHAFirewallConfig. However, localHAFirewallConfig can
be overwritten by /usr/local/bluecat/configLocalFirewall.sh.
Due to this, we recommend that customers do not modify the
iptables configuration, and block 694/udp and perform
anti-spoofing at a firewall.
Obtaining Patched Software
--------------------------
Contact the vendor.
Credits
-------
forloop discovered that Adonis XHA was using vulnerable
heartbeat software, and defaultroute read the heartbeat code
to discover the exploit. Both are members of Template
Security.
Revision History
----------------
2007-07-29: Revision 0 released
