Need to Close Vulnerability "Exported volume is publicly mountable"



  • Server
    • FOG Version: 1.3.4
    • OS: 14.04 LTS

    Need to close this vulnerability which was found while scanning Fog server and that is “Exported volume is publicly mountable” and it gives 6 instances on various ports.

    0_1489692105329_FogCapture.JPG

    Client
    • Service Version:
    • OS:
    Description

  • Moderator

    @george1421 That will be overwritten the very next time he updates fog unless the blexports option in /opt/fog/.fogsetting is set to 0

    You can edit this file with vi or nano and set that option to 0. This way the changes that George suggests will stick the next time you update fog.
    Reference:
    https://wiki.fogproject.org/wiki/index.php?title=.fogsettings#NFS


  • Moderator

    @chetansays

    I am not speaking for the developers here, but you need to understand that the focus of FOG is very imaging built on opensource software and commodity hardware. PCI or what ever compliance you are trying to achieve is not in scope of the project. Depending on your compliance exposure you should be able to justify that FOG does not contain CC/HIPAA/Whatever

    With that said if you take each of the audit observations in hand you can do certain mitigation steps.

    In the case of NFS you can restrict access to the NFS shares by updating your exports config file. Here is the default exports. You can restrict who can mount the share by replacing the wild card star ( * ) with a CDIR network format.

    /images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
    /images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)
    

    would become

    /images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
    /images/dev 192.168.2.0/255.255.255.0(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)
    

    To only allow hosts on the 192.168.2.0/24 subnet to access the NFS share for image uploading to the FOG server

    As for FTP you can do something similar by using TCP Wrappers that use hosts.allow and hosts.deny to filter the vsftpd access.

    1. Add the following to your vsftpd.conf file : tcp_wrappers=YES
    2. Restart vsftpd.
    3. In /etc/hosts.deny deny everyone for vsftpd : vsftpd: ALL
    4. In /etc/hosts.allow add the authorized IPs : vsftpd:192.168.2.0/24

    That should restrict FTP server access to only subnets that will upload to FOG

    As for the MYSQL server if you don’t have a storage node, then you can disable external access to MYSQL via the mysql config file or by setting up iptable rules as Wayne mentioned.


  • Moderator

    @chetansays Since you’re using Ubuntu 14.04, you would have to use iptables to restrict IP ranges.



  • @george1421

    Can you show how to restrict for specific IP range please?


  • Senior Developer

    @chetansays Once again you installed fog. The services it creates are needed for FOG to do whatever it is it needs to do.

    Unless you’re uploading images, however, you can just stop the FTP service.



  • I have 2 more Vulnerabilities on FOG Server, can you please help on that as well.
    1_1489693702003_FOGMYSQLCapture.JPG 0_1489693702003_FogFTPCapture.JPG


  • Moderator

    @george1421 There is another option if you only capture images from a specific IP address range. You can restrict who can mount that share by IP address range. It still would be a technically open share (must be to work correctly with fog) but would restrict access to a specific subnet.


  • Moderator

    @chetansays Well there are only 2 shares defined on your fog server.

    The /image should be setup as read only. You can confirm that by the following command cat /etc/exports

    It should respond with something that looks like this

    /images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
    /images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)
    

    That first flag for /images *(ro,sync indicates its a read only share.

    But if you look a the flags for /images/dev *(rw,sync indicates that share is read write.

    You ‘could’ update the flag for /images/dev to be ro but you will remember to change it back when you want to capture an image. This is problematic at best. If you do change the /etc/exports config file don’t forget to reshare with the new settings by issuing a export -a command.



  • @george1421

    Results for showmount command

    Export list for 127.0.0.1:
    /images/dev *
    /images *

    Can i Close it and open it only when i need to upload the image to Fog server?


  • Moderator

    This is for PCI or some other compliance certification?

    Also on your fog server linux console key in showmount -e 127.0.0.1 and report the results here.

    I can say it WILL be difficult to close this ‘vulnerability’ of having an open share, fog uses the /images/dev share to upload images to the fog server.


  • Senior Developer

    That’s normal. We use NFS to mount shares.


Log in to reply
 

426
Online

39189
Users

10843
Topics

103196
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.