• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Need to Close Vulnerability "Exported volume is publicly mountable"

    Scheduled Pinned Locked Moved Unsolved
    FOG Problems
    4
    12
    4.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chetansays
      last edited by

      Server
      • FOG Version: 1.3.4
      • OS: 14.04 LTS

      Need to close this vulnerability which was found while scanning Fog server and that is “Exported volume is publicly mountable” and it gives 6 instances on various ports.

      0_1489692105329_FogCapture.JPG

      Client
      • Service Version:
      • OS:
      Description
      1 Reply Last reply Reply Quote 0
      • Tom ElliottT
        Tom Elliott
        last edited by

        That’s normal. We use NFS to mount shares.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        1 Reply Last reply Reply Quote 0
        • george1421G
          george1421 Moderator
          last edited by george1421

          This is for PCI or some other compliance certification?

          Also on your fog server linux console key in showmount -e 127.0.0.1 and report the results here.

          I can say it WILL be difficult to close this ‘vulnerability’ of having an open share, fog uses the /images/dev share to upload images to the fog server.

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

          C 1 Reply Last reply Reply Quote 0
          • C
            chetansays @george1421
            last edited by

            @george1421

            Results for showmount command

            Export list for 127.0.0.1:
            /images/dev *
            /images *

            Can i Close it and open it only when i need to upload the image to Fog server?

            george1421G 1 Reply Last reply Reply Quote 0
            • george1421G
              george1421 Moderator @chetansays
              last edited by

              @chetansays Well there are only 2 shares defined on your fog server.

              The /image should be setup as read only. You can confirm that by the following command cat /etc/exports

              It should respond with something that looks like this

              /images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
/images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)

              That first flag for /images *(ro,sync indicates its a read only share.

              But if you look a the flags for /images/dev *(rw,sync indicates that share is read write.

              You ‘could’ update the flag for /images/dev to be ro but you will remember to change it back when you want to capture an image. This is problematic at best. If you do change the /etc/exports config file don’t forget to reshare with the new settings by issuing a export -a command.

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

              george1421G 1 Reply Last reply Reply Quote 0
              • george1421G
                george1421 Moderator @george1421
                last edited by

                @george1421 There is another option if you only capture images from a specific IP address range. You can restrict who can mount that share by IP address range. It still would be a technically open share (must be to work correctly with fog) but would restrict access to a specific subnet.

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                C 1 Reply Last reply Reply Quote 0
                • C
                  chetansays
                  last edited by

                  I have 2 more Vulnerabilities on FOG Server, can you please help on that as well.
                  1_1489693702003_FOGMYSQLCapture.JPG 0_1489693702003_FogFTPCapture.JPG

                  Tom ElliottT 1 Reply Last reply Reply Quote 0
                  • Tom ElliottT
                    Tom Elliott @chetansays
                    last edited by

                    @chetansays Once again you installed fog. The services it creates are needed for FOG to do whatever it is it needs to do.

                    Unless you’re uploading images, however, you can just stop the FTP service.

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                    Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                    Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                    1 Reply Last reply Reply Quote 0
                    • C
                      chetansays @george1421
                      last edited by

                      @george1421

                      Can you show how to restrict for specific IP range please?

                      Wayne WorkmanW george1421G 2 Replies Last reply Reply Quote 0
                      • Wayne WorkmanW
                        Wayne Workman @chetansays
                        last edited by

                        @chetansays Since you’re using Ubuntu 14.04, you would have to use iptables to restrict IP ranges.

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                        Daily Clean Installation Results:
                        https://fogtesting.fogproject.us/
                        FOG Reporting:
                        https://fog-external-reporting-results.fogproject.us/

                        1 Reply Last reply Reply Quote 0
                        • george1421G
                          george1421 Moderator @chetansays
                          last edited by george1421

                          @chetansays

                          I am not speaking for the developers here, but you need to understand that the focus of FOG is very imaging built on opensource software and commodity hardware. PCI or what ever compliance you are trying to achieve is not in scope of the project. Depending on your compliance exposure you should be able to justify that FOG does not contain CC/HIPAA/Whatever

                          With that said if you take each of the audit observations in hand you can do certain mitigation steps.

                          In the case of NFS you can restrict access to the NFS shares by updating your exports config file. Here is the default exports. You can restrict who can mount the share by replacing the wild card star ( * ) with a CDIR network format.

                          /images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
/images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)

                          would become

                          /images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
/images/dev 192.168.2.0/255.255.255.0(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)

                          To only allow hosts on the 192.168.2.0/24 subnet to access the NFS share for image uploading to the FOG server

                          As for FTP you can do something similar by using TCP Wrappers that use hosts.allow and hosts.deny to filter the vsftpd access.

                          1. Add the following to your vsftpd.conf file : tcp_wrappers=YES
                          2. Restart vsftpd.
                          3. In /etc/hosts.deny deny everyone for vsftpd : vsftpd: ALL
                          4. In /etc/hosts.allow add the authorized IPs : vsftpd:192.168.2.0/24

                          That should restrict FTP server access to only subnets that will upload to FOG

                          As for the MYSQL server if you don’t have a storage node, then you can disable external access to MYSQL via the mysql config file or by setting up iptable rules as Wayne mentioned.

                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                          Wayne WorkmanW 1 Reply Last reply Reply Quote 1
                          • Wayne WorkmanW
                            Wayne Workman @george1421
                            last edited by Wayne Workman

                            @george1421 That will be overwritten the very next time he updates fog unless the blexports option in /opt/fog/.fogsetting is set to 0

                            You can edit this file with vi or nano and set that option to 0. This way the changes that George suggests will stick the next time you update fog.
                            Reference:
                            https://wiki.fogproject.org/wiki/index.php?title=.fogsettings#NFS

                            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                            Daily Clean Installation Results:
                            https://fogtesting.fogproject.us/
                            FOG Reporting:
                            https://fog-external-reporting-results.fogproject.us/

                            1 Reply Last reply Reply Quote 1
                            • 1 / 1
                            • First post
                              Last post

                            155

                            Online

                            12.0k

                            Users

                            17.3k

                            Topics

                            155.2k

                            Posts
                            Copyright © 2012-2024 FOG Project