Slashdot Mirror

← Back to Stories (view on slashdot.org)

Arkeia Network Backup Agent Remote Access

Posted by timothy on from the security-is-for-dead-people dept.

hdm writes "The Metasploit Project has published a security analysis of the Arkeia Network Backup Client. Anyone able to connect to TCP port 617 can gain read/write access to the filesystem of any host running the Arkeia agent software. This appears to be an intentional design decision on the part of the Arkeia developers. A long-winded description of this issue, complete with screen shots, demonstration code, and packet captures can be found in the research article. Arkeia has been credited with being the first commercial backup product for the Linux platform."

14 of 168 comments (clear)

  1. Somebody has to say it by Renegade+Lisp · · Score: 4, Interesting
    Well, to state the obvious: Would this problem have survived for so long if Arkeia Network Backup had been open source software?

    Large enterprises migrating to Linux now should be careful not to throw away the biggest advantage of their new platform by committing to all sorts of closed source software that happens to run on it.

    For the time being, I guess I'll stick to my proven, open source (free software even) backup solution involving tar, gpg, and ssh.

    1. Re:Somebody has to say it by badfish99 · · Score: 5, Insightful
      No it wouldn't, because people would have spotted the decision at an early stage and told the developers that it was stupid.

      With a commercial product, it took someone with a network sniffer to discover this. So it's just a lucky fluke that someone other than the bad guys knows about it.

    2. Re:Somebody has to say it by Eric+Giguere · · Score: 4, Funny

      if Arkeia Network Backup had been open source software

      Well, it kind of is open source software... install it and it opens up your source (and pretty much anything stored on your computer) to anyone who wants it!

      Eric
      See what headers your browser is sending
  2. Not a bug; it's a feature? by physicsphairy · · Score: 4, Funny
    "This appears to be an intentional design decision on the part of the Arkeia developers."

    Does this mean that, possibly, they were anticipating people *not* being able to access TCP port 617? I.e. "we trust you know how to properly configure your firewall."

    So far, I can narrow down to either that, them being drunk when they coded this, or this being a case of the improper usage of the word "intentional."

    --
    When things get complex, multiply by the complex conjugate.
    1. Re:Not a bug; it's a feature? by Zocalo · · Score: 4, Insightful
      Even if they were making the somewhat idiotic assumption that all of their users were behind a properly configured firewall, so what? That makes absolutely zero provision for a potential cracker having already circumvented the firewall by other means or even the possibility that they might be an employee. Or haven't they seen any of the reports that a significant amount of computer crime is committed by aggrieved employees?

      I don't think it's so much improper usage of the word "intentional" as an incorrect synonym for the term "brain dead".

      --
      UNIX? They're not even circumcised! Savages!
  3. Re:got root? by Zocalo · · Score: 4, Insightful

    It's a piece of backup software, at the very least it needs to have read access to everything it is going to be used to backup. If you are planning on doing a full system backup, that means it needs read access to the whole filesystem or it can't do it's job. That doesn't mean it needs to be running as "root" of course; ideally such a tool would be running with a dedicated user and group. On a Windows box however it's not uncommon to see backup utilities running with higher priviledges than the "administrator" account because that's the only way to sidestep things like system file protection and other tricks Microsoft uses to protect the system from abuse.

    --
    UNIX? They're not even circumcised! Savages!
  4. from the arkeia site by Dr.Opveter · · Score: 5, Funny
    Arkeia.com

    I was looking for a Client-Server backup system that could offer me the possibility of backing up Unix/Linux and NT Servers on a single tape system.
    After long research my choice went to the Arkeia solution, because it has all the benefits I needed. Since then, it runs like a black box, without any need of additional Service.

    Tom Weber, IT Manager
    RTL TV (Europe)

    The backup system running like a black box might not be a good thing here eh?

    --
    Sample this!
    1. Re:from the arkeia site by DingerX · · Score: 4, Insightful

      I'd say the worse thing here would be being a published user of a system with an "interesting" security hole like that; all of a sudden, a friendly testimonial becomes an advertisement of a vulnerability.

      Unless, of course, they've got everything firewalled to tuesday.

      Zzzzapp

      Nope, metal.

  5. Specifications by Fox_1 · · Score: 5, Insightful

    It's very frustrating when you find previously unknown and undocumented features in software that you have purchased. I remember having to provide clients with full copies of the specifications and code for software so that they would be able update/repair/modify if I was hit by a bus or something. Security through obscurity is not safety, that should be validated by now simply by the sheer number of stories similar to this Arkeia one. Open Source Software at least has the beauty of the source code being readily accessible so that the user/admin/owner can see what they are installing on their system. This poor guy in the article ended up having to reverse engineer his software to find out the security dangers. Which may be against a law somewhere, ha - putting a backdoor into software you give me not illegal, finding that backdoor - may be me in trouble. I love it.

    --
    The rock, the vulture, and the chain
    1. Re:Specifications by TheRaven64 · · Score: 4, Insightful

      I think your post is probably the best one I've read on Slashdot explaining the benefits of open source, or free, software. It's not about giving the code away to everyone free of charge, it's about ensuring that those people who rely on the code have the ability to modify it.

      --
      I am TheRaven on Soylent News
  6. The oldest excuse in the book by HeghmoH · · Score: 4, Insightful

    "It's not a bug, it's a feature!"

    What a bunch of morons. It's one thing to accidentally write a security hole in your software. It's another thing entirely to claim that you deliberately make it so your software leaves your users' systems wide open to anybody who feels like taking advantage.

    --
    Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
  7. It may have been said before... by caluml · · Score: 5, Funny

    Well, let me be the first to say that I for one welcome our new nmap -sS -PS617 -iR 0 -p 617 -ing overlords.

    --
    Get your own free personal location tracker
  8. Security available, just not enabled by default by Anonymous Coward · · Score: 5, Insightful

    Arkeia provides both authentication and encryption of the connections - if you enable it. There is a part of the manual that covers how to enable security.

    It is indeed bad that it is not enabled by default. On the other hand, enabling authentication of the backup server on the backup clients means that it is slightly harder to set up a backup client.

    The problem is not much worse than, say, nfs. (Where impersonating a host can get you everywhere unless authenticated rpc is used.

  9. Hum off topic'ish. by zijus · · Score: 5, Insightful

    Hi there.

    Well I just dealt recently "simple" backups via rsync + ssh. If you can rsync something from remote onto target with no special protection regarding rsync... If target is compromised, a malicious user can run arbitrary commands through rsync. And rsync server provides full read access to FS. (Well, within user permissions though.) Isn't it a bit the same problem that this software has? I would not be surprised to hear that you can customize the backup server to limit access/actions for better sefety. Which is exactly what you have to do with ssh on remote server: filter commands passed through ssh before running them. I mean: each remote you want to back up will have to be worked on a little.

    It's off topic but FYI: Rsync server can take as a file list an arbitrary unix command.

    rsync user@remote:'`\rm -rf /`' .

    Pretty efficient isn't it ? (unix file perm will limit the damage though).

    Bye bye.

    Z.