Slashdot Mirror
Arkeia Network Backup Agent Remote Access
hdm writes "The Metasploit Project has published a security analysis of the Arkeia Network Backup Client. Anyone able to connect to TCP port 617 can gain read/write access to the filesystem of any host running the Arkeia agent software. This appears to be an intentional design decision on the part of the Arkeia developers. A long-winded description of this issue, complete with screen shots, demonstration code, and packet captures can be found in the
research article. Arkeia has been credited with being the
first commercial backup product for the Linux platform."
Large enterprises migrating to Linux now should be careful not to throw away the biggest advantage of their new platform by committing to all sorts of closed source software that happens to run on it.
For the time being, I guess I'll stick to my proven, open source (free software even) backup solution involving tar, gpg, and ssh.
Seems to me that the only way to get r/w access to the entire filesystem is if either a) the backup daemon is running as root, or b) if the backup daemon's user or group has r/w access equal to root's. In either case, the sysadmin would have to be on crack to do that. Not that read-only access is OK by any stretch, but just making the point. Oh, and before idiots start saying "see, open source isn't secure," let me remind them that this is a commercial product that was comprimised. If anything, I'd take this as further evidence of the virtues of open source.
#define DRM chmod 000
Does this mean that, possibly, they were anticipating people *not* being able to access TCP port 617? I.e. "we trust you know how to properly configure your firewall."
So far, I can narrow down to either that, them being drunk when they coded this, or this being a case of the improper usage of the word "intentional."
When things get complex, multiply by the complex conjugate.
I was looking for a Client-Server backup system that could offer me the possibility of backing up Unix/Linux and NT Servers on a single tape system.
After long research my choice went to the Arkeia solution, because it has all the benefits I needed. Since then, it runs like a black box, without any need of additional Service.
Tom Weber, IT Manager
RTL TV (Europe)
The backup system running like a black box might not be a good thing here eh?
Sample this!
It's very frustrating when you find previously unknown and undocumented features in software that you have purchased. I remember having to provide clients with full copies of the specifications and code for software so that they would be able update/repair/modify if I was hit by a bus or something. Security through obscurity is not safety, that should be validated by now simply by the sheer number of stories similar to this Arkeia one. Open Source Software at least has the beauty of the source code being readily accessible so that the user/admin/owner can see what they are installing on their system. This poor guy in the article ended up having to reverse engineer his software to find out the security dangers. Which may be against a law somewhere, ha - putting a backdoor into software you give me not illegal, finding that backdoor - may be me in trouble. I love it.
The rock, the vulture, and the chain
Arcserve is nice. But what about bacula?
http://www.bacula.org/
"It's not a bug, it's a feature!"
What a bunch of morons. It's one thing to accidentally write a security hole in your software. It's another thing entirely to claim that you deliberately make it so your software leaves your users' systems wide open to anybody who feels like taking advantage.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
Never attribute to malice what is explainable by stupidity. (though the Bush admin. has stretched my imagination...) Though it appears intentional, there is probably a very good explanation for all of this. Needless to say, we'd better be hearing soon from Arkeia as to exactly WHAT that explanation is.
Quid festinatio swallonis est aetherfuga inonusti?
Africus aut Europaeus?
Well, let me be the first to say that I for one welcome our new nmap -sS -PS617 -iR 0 -p 617 -ing overlords.
Get your own free personal location tracker
Arkeia provides both authentication and encryption of the connections - if you enable it. There is a part of the manual that covers how to enable security.
It is indeed bad that it is not enabled by default. On the other hand, enabling authentication of the backup server on the backup clients means that it is slightly harder to set up a backup client.
The problem is not much worse than, say, nfs. (Where impersonating a host can get you everywhere unless authenticated rpc is used.
Hi there.
Well I just dealt recently "simple" backups via rsync + ssh. If you can rsync something from remote onto target with no special protection regarding rsync... If target is compromised, a malicious user can run arbitrary commands through rsync. And rsync server provides full read access to FS. (Well, within user permissions though.) Isn't it a bit the same problem that this software has? I would not be surprised to hear that you can customize the backup server to limit access/actions for better sefety. Which is exactly what you have to do with ssh on remote server: filter commands passed through ssh before running them. I mean: each remote you want to back up will have to be worked on a little.
It's off topic but FYI: Rsync server can take as a file list an arbitrary unix command.
Pretty efficient isn't it ? (unix file perm will limit the damage though).
Bye bye.
Z.
...real men just install Arkeia for their important stuff, and let the rest of the world mirror it :)
... if the software doesn't need the port to be open on the internal network then why is it open?
Firewalling the port on each indivudual system behind the main firewall would then imply that the software couldn't actually function (for any reasonable definition of the word "function").
HAND.
Well well, isn't this interesting. I've had Arkeia running for a while now, backing up a number of different machines with a variety of linuxes, and I chose it because it was the only one that had any sort of support for Debian Sarge. It's been fine, apart from some unstable MySQL support, but other than that, a great piece of software. Until now.
I can't ever trust these guys again. When I first installed it, this issue occured to me, and I just assumed "no way could those guys be that stupid, they must have some internal IP restrictions" - and indeed, seeing as when you install the client it asks for the host server, I figured everything would be fine. If only I had've been wearing my tinfoil hat...
So. Who's got any better recommedations? I want some network capable, high quality backup software. Amanda doesn't cut it, and that was the best of the freeware stuff I saw. What else is out there that has support for a variety of linuxes? Veritas Netbackup wouldn't even touch a Sarge install, it was a dependency hell that I didn't have the time nor patience to get in to. I've got Redhat boxes, from 7.2 to 9, that all need backing up too... So what are the pros out there using? Is there anything that isn't rsync and a few mt commands in a bash script?
Perhaps the answer to the problem of teenagers dropping bricks from motorway and railway bridges is to sue Tetris.
"Said Linus Torvald, 10 Minutes before a HDD crash made him lose most personal notes, emails, docs and latest kernel modification his cron job didn't get a chance to duplicate..."
Check it up...
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
Here is an instance of the warez-monkies indirectly contributing something useful. PAR2 is essentially a RAID5 type data parity for files. Warezpups use it to add a layer of parity to their hundreds of RAR files (or whatever). If one (or more) RAR's go bad, the parity files can be used to reconstuct the bad file. Much like RAID5 however, there is a space sacrifice for this extra parity layer.
http://sourceforge.net/projects/parchive/
Its frequently used on USENET binaries groups now as well to solve the missing part problems.
I'm sure this exact strategy could be integrated into your backup solution with minimal effort.
I think we'd all enjoy a nice cold beverage. -David Letterman
I ran Arkeia with a large web hosting firm for about 2 years mixed with Linux and Windows machines. We tested the backups extensively before deployment and spent $18,000 with Knox for licenses.
All seemed well until we needed to restore data. The logging indicated a perfect backup, but time and time again our restores were either failing or incomplete. On Windows, it simply wouldn't restore anything.
The solution, according to Arkeia was to purchase an upgrade ($12,000) which would solve all our problems. And since we refused to spend another 15% for a support agreement, that was our only alternative. I don't think so.
Needless to say, we went with someone else. Veritas had a great enterprise solution that worked with Linux and Windows (the server app runs only on Windows) and supports a huge array of tape drives. And it was one-third the price.
I can't definetly recall, but the Veritas agent also has some security peculiarities that raised some eyebrows. If you run any enterprise backup, I guess the answer is to make sure you're firewalled.
In this day and age of cheap disk drives, I wonder if anyone is using USB or Firewire drives and just using those for back-ups. A Lacie 250 gig Firewire drive is <$200.