• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Fog Server vulnerable

    Scheduled Pinned Locked Moved
    FOG Problems
    3
    18
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TaTa
      last edited by

      Hello all,

      I hope y’all stay safe and well.

      My institution recently did a pen test a found a few vulnerabilities on the FOG server:

      Vulnerable version of product HTTPD found – Apache HTTPD 2.4.6
      Vulnerable version of component OpenSSL found – OpenSSL 1.0.2k-fips
      Configuration item ftp.plaintext.authentication set to ‘true’
      Insecure MAC algorithms in use: hmac-sha1,hmac-md5
      Negotiated with the following insecure cipher suites:
      * TLS 1.0 ciphers

      If I manually upgrade APACHE and OpenSSL to the latest versions 2.4.52 and 3.0 respectively, would this break FOG in any way? I’m using FOG Version 1.5.8 on Enterprise Linux Server release 7.9 (Maipo).
      Does openSSL version 3.0 resolve Insecure MAC algorithms and insecure cipher issues? How do I go about fixing ftp plaintext authentication issue?

      Thank you.

      george1421G 1 Reply Last reply Reply Quote 0
      • george1421G
        george1421 Moderator @TaTa
        last edited by

        @tata The short answer is you can update your OS with patches and they will not impact FOG. This is something you should do.

        So apache, openssl can be updated no problem.
        The insecure MAC alg. Is probably related to ssh allowing insecure authentication hashs. You can just update the sshd server configurations to fix this. FOG doesn’t use SSH so there is no impact there.

        TLS 1.0 cipher might come into play if you are using ssl (https) for your web site. While I don’t know for sure, you might run into a conflict with the FOG clients if they are configured to use TLS 1.0. The fog clients connect to the FOG server on port 80. So I would make the change to only allow 1.2 and see if the fog clients have an issue. If you have storage nodes, then also watch the master node to make sure its getting performance metrics from the storage node.

        The troubling one is the ftp plain text auth. There is no getting around this one right now. I’m suspecting they want you to use certificates instead of plain text, or possibly something like sftp or ftps. Right now FOG is not configured to use the ssl or tls versions of ftp.

        These trouble points you mention makes me think you had a compliance audit. I would think the FOG server should be excluded from the audit since it doesn’t contain PII or credit card data.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

        1 Reply Last reply Reply Quote 0
        • T
          TaTa
          last edited by

          @george1421 said in Fog Server vulnerable:

          sshd

          Thank you very much @george1421. I will update apache and openssl to see how it goes.

          We are not using fog clients or https so I’m not so worry about TLS 1.0. I couldn’t get https to work when we configured FOG in the past so I gave up on it. We only have one storage node and it’s on the same server.

          You are right. We had a compliance audit. I will ask the security team to see if they can make an exemption on the ftp part.

          Thanks again for your help.

          george1421G 1 Reply Last reply Reply Quote 0
          • george1421G
            george1421 Moderator @TaTa
            last edited by

            @tata said in Fog Server vulnerable:

            I’m not so worry about TLS 1.0

            If you don’t use https, then I would query the security group to which service is running that it detected TLS 1.0. FOG doesn’t use it, but there may be something built into the OS that does.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

            T 1 Reply Last reply Reply Quote 0
            • T
              TaTa @george1421
              last edited by

              @george1421 I updated httpd to httpd2.4 version 2.4.52. Webservice is running but FOG webservice is not. I’m getting URL not found. I know there is an easy fix but I couldn’t find it on my note. I forgot to take a snap shot and don’t want to mess around to cause more damage =). Could you please point me some hint how to remedy this issue?

              T 1 Reply Last reply Reply Quote 0
              • T
                TaTa @TaTa
                last edited by

                Please scratch out my previous question.

                systemctl enable httpd.service resolved it. 😃

                1 Reply Last reply Reply Quote 1
                • T
                  TaTa
                  last edited by

                  @george1421 I updated FOG to 1.5.9 while working on these issues and was able to enable HTTPS with a custom cert. The site was loading fine/we were able to clone images from FOG server.

                  The security team also wanted me to update PHP 7.2.34 and mysql to the latest version.
                  I updated PHP to 8.1.3 and now the website is not loading. I’m getting HTTP ERROR 500.
                  What are the right steps to update php and its dependencies and MYSQL?
                  Sorry for asking too may questions.

                  george1421G 1 Reply Last reply Reply Quote 0
                  • george1421G
                    george1421 Moderator @TaTa
                    last edited by

                    @tata FOG 1.5.9 does not support php version 8. You need to upgrade to the dev branch for that. Personally I would have taken php and php-fpm to version 7.4 and not jumped to php8. As for mysql there should be no problem upgrading to latest database. But I do have to caveat I have not tried to move beyond the versions shipped with the fog server host OS distro version.

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                    1 Reply Last reply Reply Quote 0
                    • S
                      Sebastian Roth Moderator
                      last edited by

                      @george1421 @TaTa Even the latest dev-branch version is not compatible with PHP8 yet. You might want to give the dev-branch-php8 branch a go. But this is really new and not tested much at all.

                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                      1 Reply Last reply Reply Quote 1
                      • T
                        TaTa
                        last edited by

                        @george1421 @Sebastian-Roth Thank you all for your help. I downgraded to php7 but couldn’t get around the HTTP error 500. We didn’t take a snapshot of the VM before messing around with it. It took a while for the admin to restore our FOG server from the backup. I’m staying at PHP 7.4.28 and mysql 5.7.33 for now.

                        1 Reply Last reply Reply Quote 0
                        • S
                          Sebastian Roth Moderator
                          last edited by

                          @tata said in Fog Server vulnerable:

                          Thank you all for your help.

                          You are welcome. You might want to ask in the forums before jumping right into it next time.

                          I downgraded to php7 but couldn’t get around the HTTP error 500.

                          The apache and PHP-FPM logs are your friends in finding out what’s wrong. See my signature on where to find those.

                          We didn’t take a snapshot of the VM before messing around with it.

                          Next time you will, I am sure. 😉

                          It took a while for the admin to restore our FOG server from the backup. I’m staying at PHP 7.4.28 and mysql 5.7.33 for now.

                          So things are back to normal for now, right?

                          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                          T 1 Reply Last reply Reply Quote 0
                          • T
                            TaTa @Sebastian Roth
                            last edited by

                            @sebastian-roth Yes, sir! Lesson learned…for now.

                            T 1 Reply Last reply Reply Quote 0
                            • T
                              TaTa @TaTa
                              last edited by

                              Good morning @george1421 @Sebastian-Roth. The security team agreed to grant an exception for ftp plain text authentication but they do need some documentations from the developer. I looked through the wiki but I could any places that mention this. Could you please point me to the right place?

                              george1421G 1 Reply Last reply Reply Quote 0
                              • S
                                Sebastian Roth Moderator
                                last edited by

                                @TaTa I guess code is probably the best documentation you can get for this particular question:

                                https://github.com/FOGProject/fogproject/blob/master/packages/web/lib/fog/fogftp.class.php
                                https://github.com/FOGProject/fogproject/search?q=FOGFTP

                                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                1 Reply Last reply Reply Quote 0
                                • george1421G
                                  george1421 Moderator @TaTa
                                  last edited by

                                  @tata Beyond looking at the code, what do they expect you to produce? Yes plain text FTP is used. Its only used in the context of the application. At no time under the normal operation of FOG does a user or fog admin use FTP to access the server. Its only used by back end FOG services for image movements within FOG. I’m not sure what else they might want.

                                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                                  T 1 Reply Last reply Reply Quote 0
                                  • T
                                    TaTa @george1421
                                    last edited by

                                    @Sebastian-Roth @george1421 Thank you. I’ll give them the source code to see what they say. @george1421 I explained that to them. They are okay with it but they need a written document from the developer in order to grant a exemption.

                                    T 1 Reply Last reply Reply Quote 0
                                    • T
                                      TaTa @TaTa
                                      last edited by

                                      Thank you all for your help. I was able get an exemption from the security team for ftp plaintext. I’m down to the last issue about the nfs mount points and folder permissions. They don’t like the fact that these mount points are open to everyone. What is the proper way to secure them?
                                      I currently have:
                                      /images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
                                      /images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)

                                      What is the proper permission for /images folder (and sub folders)? It is now set to drwxrwxrwx. fogproject root 4096.

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Sebastian Roth Moderator
                                        last edited by

                                        @TaTa The default NFS in FOG is still version 3 which has no concept of user authentication/authorization. Sure you can try to lock things down a bit by setting access rights on the FOG server filesystem.

                                        But if you want to go beyond that you will need to look into NFSv4 which is not implemented yet: https://forums.fogproject.org/topic/14791/feature-request-for-fog-1-6-x-configure-image-capture-to-use-nfsv4-instead-of-nfsv3

                                        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                        1 Reply Last reply Reply Quote 1
                                        • 1 / 1
                                        • First post
                                          Last post

                                        146

                                        Online

                                        12.0k

                                        Users

                                        17.3k

                                        Topics

                                        155.2k

                                        Posts
                                        Copyright © 2012-2024 FOG Project