Maciej Bogucki
23/02/05, 20:55
This is a multi-part message in MIME format.
--------------070204040905080708060803
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
--------------070204040905080708060803
Content-Type: message/rfc822;
name="[arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="[arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue"
Return-Path: <owner-arkeia-announce@arkeia.com>
Delivered-To: mbogucki@artegence.com
Received: (qmail 28689 invoked by uid 510); 22 Feb 2005 23:50:48 -0000
Delivered-To: bogucki@3dart.com
Received: (qmail 28685 invoked by uid 507); 22 Feb 2005 23:50:48 -0000
Received: from owner-arkeia-announce@arkeia.com by rincewind by uid 504 with qmail-scanner-1.16
(avp: 3.0 build 133/3.0. spamassassin: 2.63. Clear:SA:0(-4.9/5.0):.
Processed in 17.461754 secs); 22 Feb 2005 23:50:48 -0000
X-Spam-Status: No, hits=-4.9 required=5.0
Received: from gw.arkeia.com (HELO mail.arkeia.com) (64.151.97.188)
by rincewind.non.3dart.com with SMTP; 22 Feb 2005 23:50:30 -0000
Received-SPF: pass (rincewind.non.3dart.com: local policy designates 64.151.97.188 as permitted sender)
Received: by mail.arkeia.com (Postfix)
id 41052AC154; Tue, 22 Feb 2005 15:49:23 -0800 (PST)
Delivered-To: arkeia-announce-45361328@arkeia.com
Received: from localhost (localhost [127.0.0.1])
by mail.arkeia.com (Postfix) with ESMTP id D5656AC155
for <arkeia-announce-45361328@arkeia.com>; Tue, 22 Feb 2005 15:49:22 -0800 (PST)
Received: from mail.arkeia.com ([127.0.0.1])
by localhost (wild.arkeia.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 16084-03 for <arkeia-announce-45361328@arkeia.com>;
Tue, 22 Feb 2005 15:49:08 -0800 (PST)
Received: by mail.arkeia.com (Postfix, from userid 1001)
id 9F65AAC13F; Tue, 22 Feb 2005 15:48:51 -0800 (PST)
Delivered-To: arkeia-announce@knox-software.com
Delivered-To: arkeia-announce@mail1.arkeia.com
Delivered-To: arkeia-announce@arkeia.com
Message-ID: <421BC4E5.5010504@arkeia.com>
Date: Tue, 22 Feb 2005 15:48:53 -0800
From: Arnaud Spicht <aspicht@arkeia.com>
User-Agent: Mozilla Thunderbird 1.0 (X11/20050107)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: arkeia-userlist@arkeia.com, arkeia-announce@arkeia.com
Subject: [arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue
X-Enigmail-Version: 0.89.5.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on slox.arkeia.com
X-Spam-Level:
X-Virus-Scanned: by amavisd-new at arkeia.com
Sender: owner-arkeia-announce@arkeia.com
Precedence: bulk
Reply-To: Arnaud Spicht <aspicht@arkeia.com>
X-Virus-Scanned: by amavisd-new at arkeia.com
Arkeia annouces the release of Arkeia Network Backup 5.3.5.
This release fixes a buffer overflow bug described in bugtraq id 12594.
This bug could allow a remote attacker to execute arbitrary code
remotely, and such get root access to the machine.
If you are in a trusted private lan environment, you don't need to
upgrade.
However, if you are using Arkeia in an untrusted environment, it is
strongly advised to upgrade to this version.
The bug is in the arkeiad daemon process. So you have to upgrade all the
sensitive client machines.
You can get this new version for all client packages trough our ftp
site:
ftp://ftp.arkeia.com/pub/arkeia5.3/arkeia-network-backup
It is also strongly advised to read the Arkeia User Manual "Appendix B:
System Security" to secure Arkeia against system-level intrusion.
Here is the appendix:
APPENDIX B: System Security
---------------------------
This appendix describes what you need to do to secure Arkeia 5 against
system-level intrusion. If you are looking for information about data
security, or how to encrypt the data Arkeia puts onto backup tapes,
please see these references:
- Define options for the savepack on page 84;
- encryption configuration on page 168.
B.1. Client Security
--------------------
To achieve the best security on an Arkeia client computer, you need to
prevent:
- the client from being used as a server,
- access to the client from non-authorized backup servers, and
- access to configuration files.
This section explains how to secure an Arkeia client.
Deny server functions on a client
---------------------------------
Arkeia 5 consists of three main functional packages:
- backup server,
- client, and
- graphical interface.
To simplify installation, all three packages are installed every time.
When the installation is on a platform which can be either an Arkeia
server or client, there is a risk that an intruder who hacks into the
client computer could turn into a backup server.
To prevent this you can deny access to the server functions on a client
computer in the authorization configuration files (auth_ files).
Auth_ files are named using this convention:
$ARKEIA_DIR/arkeiad/auth_<PROCESS_NAME>.cfg
To deny access to a process, change the active line in the authorization
configuration file from ALLOW to DENY:
<PROCESS_NAME>.* DENY * *
For example:
ARKBKP.* DENY * *
The server auth_ files to change to DENY are:
a. auth_ARKBKP (Backup)
b. auth.ARKDUP (Tape duplication)
c. auth.ARKLIB (Tape library management)
d. auth_ARKNAV (Navigation)
e. auth_ARKRST (Restoration)
f. auth_ARKTRANS (Transaction)
Secure access to clients
------------------------
On most networks, it is advisable to deny backup access to clients,
except from the intended Arkeia server (or servers).
This is also done in the auth_ files.
The format to restrict access to a given backup server is:
<PROCESS_NAME>.* ALLOW <backup_server_FQDN> *
For example:
ARKADMIN.* ALLOW mercury.arkeia.com *
The client auth_ files to change are:
a. auth_ARKADMIN (Client administration)
b. auth_ARKFS (client backup, restore, navigation)
Plug-ins
--------
Plug-ins are generally forked by the local client, but it is also
advisable to restrict access to the local computer.
The format to limit access is:
ARKP<PLUGIN>.* ALLOW <local computer FQDN> *
For example:
ARKPMYSQL.* ALLOW mercury.arkeia.com *
Further access limitation
-------------------------
You can further tighten client access by requiring a connection on a
reserved port, and using a root account. The format to limit access is:
<PROCESS_NAME>.* ALLOW <backup server FQDN>[1] root
For example:
ARKADMIN.* ALLOW mercury.arkeia.com[1] root
Secure configuration files
--------------------------
Various Arkeia configuration files contain information such as
passwords and encryption keys, which should be restricted to prevent
unauthorized access.
The best way to do this is to make these files root read-only.
In a shell, run the following command:
# chmod 600 <filename>
The files to restrict are:
a. $ARKEIA_DIR/arkc/arkc.param
b. $HOME/.arkc/arkc.param
c. $ARKEIA_DIR/arkobk.param (RMAN agent installed)
d. $ARKEIA_DIR/arkeiad/cryptree.ark
e. $ARKEIA_DIR/arkeiad/admin.cfg
f. $ARKEIA_DIR/arkeiad/AUTH_*.cfg
f. $ARKEIA_DIR/arkeiad/PROXY_*.cfg
h. path-to/<global encryption file>
B.2 Server Security
-------------------
To achieve the best security in an Arkeia Server,
- restrict access to the Arkeia backup server functions from remote
computers,
- reserve sensitive operations such as backup creation for an Arkeia
Administrator role, leaving daily operations to an Arkeia Operator
role,
- secure the server configuration files, and
- secure by encryption the data stream between the Arkeia server and
clients.
Secure access
-------------
You are able to manage backups and restores from any computer on the
network.
As backup administrator, you would normally do this from the server
computer, or your own computer, so it is advisable to restrict Arkeia
backup control to these computers.
On a Arkeia server, you can control access through the auth_ files, in
the same way you controlled access to Arkeia clients.
The format to limit access is:
<PROCESS_NAME>.* ALLOW <listof allowed hosts> *
For example:
ARKADMIN.* ALLOW mercury.arkeia.com|earth.arkeia.com *
Note that each allowed host FQDN is separated by a "|" (verticle broken
bar).
The server process authorization configuration files in which to list
the authorized hosts are:
a. auth_ARKBKP (Backup)
b. auth.ARKDUP (Tape duplication)
c. auth.ARKLIB (Tape library management)
d. auth_ARKNAV (Navigation)
e. auth_ARKRST (Restoration)
f. auth_ARKTRANS (Transaction)
Roles
-----
Once you have configured Arkeia to work the way you want it to,
changes to the configuration will be very rare.
It is advisable to create an account with OPERATOR and USER permissions
for the daily management of backups and restorations.
Secure configuration files
--------------------------
For the same reasons as client configuration files, server configuration
files should be restricted to prevent unauthorized access. The best way
to do this is to make these files root read-only.
In a shell, run the following command:
# chmod 600 <filename>
The files to restrict are:
a. $ARKEIA_DIR/arkc/arkc.param
b. $HOME/.arkc/arkc.param
c. $ARKEIA_DIR/arkobk.param (RMAN agent installed)
d. $ARKEIA_DIR/arkeiad/cryptree.ark
e. $ARKEIA_DIR/arkeiad/admin.cfg
f. $ARKEIA_DIR/arkeiad/AUTH_*.cfg
f. $ARKEIA_DIR/arkeiad/PROXY_*.cfg
h. path-to/<global encryption file>
i. $ARKEIA_DIR/server/dbase/f3sec/*
Port forwarding
---------------
By default, communications between Arkeia backup server and Arkeia
backup client is unencrypted.
You can use SSH to secure the data stream between the server and the
client. On the server computer, enter this command as root:
# ssh -g -L 617:<backup_server_hostname>:619 <client_hostname>
When Arkeia connects to port 617 on a client, the data is forwarded over
the secure channel to client_hostname, port 619.
You must change the Arkeia backup client to 619, see Arkeia daemon
management on page 160 of Arkeia User manual for instructions on how to
do this.
For example:
# ssh -g -L 617:earth.arkeia.com:619 mercury.arkeia.com
Data will now pass by an encrypted channel between port 61 on the backup
server earth.arkeia.com and port 619 on the client mercury.arkeia.com
If you want to apply this setting automatically when the server computer
is booted, add the above command to the file /etc/ssh/ssh_config
--
Arnaud Spicht, CTO
Arkeia Corp Arkeia SA
1808 Aston Avenue, Suite 220 41 rue Delizy
Carlsbad, CA 92008 93692 Pantin Cedex
USA France
Tel: (760) 431.1319 x2004 Tel: +33 (0)1 48 10 89 89
Fax: (760) 602.8599 Fax: +33 (0)1 48 10 89 90
http://www.arkeia.com
__________________________________________________ ______________________
This email message is for the sole use of the intended recipient(s) and
may contain confidential information or information belonging to Arkeia
Corp. The unauthorized disclosure, use, dissemination or copying (either
whole or partial) of this e-mail, or any information it contains, is
prohibited.
If you are not the intended recipient of this e-mail, please delete it
immediately from your system and notify the sender of the wrong delivery
by reply email. Thank you.
__________________________________________________ _
This read-only mailing-list is used for announcements about Arkeia (new
releases, bug fixes, etc...) If you wish to modify your subscription or if
you want to subscribe to other Arkeia mailing-lists, please, go to:
http://www.arkeia.com/arkeialists.html
__________________________________________________ __
--------------070204040905080708060803--
--------------070204040905080708060803
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
--------------070204040905080708060803
Content-Type: message/rfc822;
name="[arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="[arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue"
Return-Path: <owner-arkeia-announce@arkeia.com>
Delivered-To: mbogucki@artegence.com
Received: (qmail 28689 invoked by uid 510); 22 Feb 2005 23:50:48 -0000
Delivered-To: bogucki@3dart.com
Received: (qmail 28685 invoked by uid 507); 22 Feb 2005 23:50:48 -0000
Received: from owner-arkeia-announce@arkeia.com by rincewind by uid 504 with qmail-scanner-1.16
(avp: 3.0 build 133/3.0. spamassassin: 2.63. Clear:SA:0(-4.9/5.0):.
Processed in 17.461754 secs); 22 Feb 2005 23:50:48 -0000
X-Spam-Status: No, hits=-4.9 required=5.0
Received: from gw.arkeia.com (HELO mail.arkeia.com) (64.151.97.188)
by rincewind.non.3dart.com with SMTP; 22 Feb 2005 23:50:30 -0000
Received-SPF: pass (rincewind.non.3dart.com: local policy designates 64.151.97.188 as permitted sender)
Received: by mail.arkeia.com (Postfix)
id 41052AC154; Tue, 22 Feb 2005 15:49:23 -0800 (PST)
Delivered-To: arkeia-announce-45361328@arkeia.com
Received: from localhost (localhost [127.0.0.1])
by mail.arkeia.com (Postfix) with ESMTP id D5656AC155
for <arkeia-announce-45361328@arkeia.com>; Tue, 22 Feb 2005 15:49:22 -0800 (PST)
Received: from mail.arkeia.com ([127.0.0.1])
by localhost (wild.arkeia.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 16084-03 for <arkeia-announce-45361328@arkeia.com>;
Tue, 22 Feb 2005 15:49:08 -0800 (PST)
Received: by mail.arkeia.com (Postfix, from userid 1001)
id 9F65AAC13F; Tue, 22 Feb 2005 15:48:51 -0800 (PST)
Delivered-To: arkeia-announce@knox-software.com
Delivered-To: arkeia-announce@mail1.arkeia.com
Delivered-To: arkeia-announce@arkeia.com
Message-ID: <421BC4E5.5010504@arkeia.com>
Date: Tue, 22 Feb 2005 15:48:53 -0800
From: Arnaud Spicht <aspicht@arkeia.com>
User-Agent: Mozilla Thunderbird 1.0 (X11/20050107)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: arkeia-userlist@arkeia.com, arkeia-announce@arkeia.com
Subject: [arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue
X-Enigmail-Version: 0.89.5.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on slox.arkeia.com
X-Spam-Level:
X-Virus-Scanned: by amavisd-new at arkeia.com
Sender: owner-arkeia-announce@arkeia.com
Precedence: bulk
Reply-To: Arnaud Spicht <aspicht@arkeia.com>
X-Virus-Scanned: by amavisd-new at arkeia.com
Arkeia annouces the release of Arkeia Network Backup 5.3.5.
This release fixes a buffer overflow bug described in bugtraq id 12594.
This bug could allow a remote attacker to execute arbitrary code
remotely, and such get root access to the machine.
If you are in a trusted private lan environment, you don't need to
upgrade.
However, if you are using Arkeia in an untrusted environment, it is
strongly advised to upgrade to this version.
The bug is in the arkeiad daemon process. So you have to upgrade all the
sensitive client machines.
You can get this new version for all client packages trough our ftp
site:
ftp://ftp.arkeia.com/pub/arkeia5.3/arkeia-network-backup
It is also strongly advised to read the Arkeia User Manual "Appendix B:
System Security" to secure Arkeia against system-level intrusion.
Here is the appendix:
APPENDIX B: System Security
---------------------------
This appendix describes what you need to do to secure Arkeia 5 against
system-level intrusion. If you are looking for information about data
security, or how to encrypt the data Arkeia puts onto backup tapes,
please see these references:
- Define options for the savepack on page 84;
- encryption configuration on page 168.
B.1. Client Security
--------------------
To achieve the best security on an Arkeia client computer, you need to
prevent:
- the client from being used as a server,
- access to the client from non-authorized backup servers, and
- access to configuration files.
This section explains how to secure an Arkeia client.
Deny server functions on a client
---------------------------------
Arkeia 5 consists of three main functional packages:
- backup server,
- client, and
- graphical interface.
To simplify installation, all three packages are installed every time.
When the installation is on a platform which can be either an Arkeia
server or client, there is a risk that an intruder who hacks into the
client computer could turn into a backup server.
To prevent this you can deny access to the server functions on a client
computer in the authorization configuration files (auth_ files).
Auth_ files are named using this convention:
$ARKEIA_DIR/arkeiad/auth_<PROCESS_NAME>.cfg
To deny access to a process, change the active line in the authorization
configuration file from ALLOW to DENY:
<PROCESS_NAME>.* DENY * *
For example:
ARKBKP.* DENY * *
The server auth_ files to change to DENY are:
a. auth_ARKBKP (Backup)
b. auth.ARKDUP (Tape duplication)
c. auth.ARKLIB (Tape library management)
d. auth_ARKNAV (Navigation)
e. auth_ARKRST (Restoration)
f. auth_ARKTRANS (Transaction)
Secure access to clients
------------------------
On most networks, it is advisable to deny backup access to clients,
except from the intended Arkeia server (or servers).
This is also done in the auth_ files.
The format to restrict access to a given backup server is:
<PROCESS_NAME>.* ALLOW <backup_server_FQDN> *
For example:
ARKADMIN.* ALLOW mercury.arkeia.com *
The client auth_ files to change are:
a. auth_ARKADMIN (Client administration)
b. auth_ARKFS (client backup, restore, navigation)
Plug-ins
--------
Plug-ins are generally forked by the local client, but it is also
advisable to restrict access to the local computer.
The format to limit access is:
ARKP<PLUGIN>.* ALLOW <local computer FQDN> *
For example:
ARKPMYSQL.* ALLOW mercury.arkeia.com *
Further access limitation
-------------------------
You can further tighten client access by requiring a connection on a
reserved port, and using a root account. The format to limit access is:
<PROCESS_NAME>.* ALLOW <backup server FQDN>[1] root
For example:
ARKADMIN.* ALLOW mercury.arkeia.com[1] root
Secure configuration files
--------------------------
Various Arkeia configuration files contain information such as
passwords and encryption keys, which should be restricted to prevent
unauthorized access.
The best way to do this is to make these files root read-only.
In a shell, run the following command:
# chmod 600 <filename>
The files to restrict are:
a. $ARKEIA_DIR/arkc/arkc.param
b. $HOME/.arkc/arkc.param
c. $ARKEIA_DIR/arkobk.param (RMAN agent installed)
d. $ARKEIA_DIR/arkeiad/cryptree.ark
e. $ARKEIA_DIR/arkeiad/admin.cfg
f. $ARKEIA_DIR/arkeiad/AUTH_*.cfg
f. $ARKEIA_DIR/arkeiad/PROXY_*.cfg
h. path-to/<global encryption file>
B.2 Server Security
-------------------
To achieve the best security in an Arkeia Server,
- restrict access to the Arkeia backup server functions from remote
computers,
- reserve sensitive operations such as backup creation for an Arkeia
Administrator role, leaving daily operations to an Arkeia Operator
role,
- secure the server configuration files, and
- secure by encryption the data stream between the Arkeia server and
clients.
Secure access
-------------
You are able to manage backups and restores from any computer on the
network.
As backup administrator, you would normally do this from the server
computer, or your own computer, so it is advisable to restrict Arkeia
backup control to these computers.
On a Arkeia server, you can control access through the auth_ files, in
the same way you controlled access to Arkeia clients.
The format to limit access is:
<PROCESS_NAME>.* ALLOW <listof allowed hosts> *
For example:
ARKADMIN.* ALLOW mercury.arkeia.com|earth.arkeia.com *
Note that each allowed host FQDN is separated by a "|" (verticle broken
bar).
The server process authorization configuration files in which to list
the authorized hosts are:
a. auth_ARKBKP (Backup)
b. auth.ARKDUP (Tape duplication)
c. auth.ARKLIB (Tape library management)
d. auth_ARKNAV (Navigation)
e. auth_ARKRST (Restoration)
f. auth_ARKTRANS (Transaction)
Roles
-----
Once you have configured Arkeia to work the way you want it to,
changes to the configuration will be very rare.
It is advisable to create an account with OPERATOR and USER permissions
for the daily management of backups and restorations.
Secure configuration files
--------------------------
For the same reasons as client configuration files, server configuration
files should be restricted to prevent unauthorized access. The best way
to do this is to make these files root read-only.
In a shell, run the following command:
# chmod 600 <filename>
The files to restrict are:
a. $ARKEIA_DIR/arkc/arkc.param
b. $HOME/.arkc/arkc.param
c. $ARKEIA_DIR/arkobk.param (RMAN agent installed)
d. $ARKEIA_DIR/arkeiad/cryptree.ark
e. $ARKEIA_DIR/arkeiad/admin.cfg
f. $ARKEIA_DIR/arkeiad/AUTH_*.cfg
f. $ARKEIA_DIR/arkeiad/PROXY_*.cfg
h. path-to/<global encryption file>
i. $ARKEIA_DIR/server/dbase/f3sec/*
Port forwarding
---------------
By default, communications between Arkeia backup server and Arkeia
backup client is unencrypted.
You can use SSH to secure the data stream between the server and the
client. On the server computer, enter this command as root:
# ssh -g -L 617:<backup_server_hostname>:619 <client_hostname>
When Arkeia connects to port 617 on a client, the data is forwarded over
the secure channel to client_hostname, port 619.
You must change the Arkeia backup client to 619, see Arkeia daemon
management on page 160 of Arkeia User manual for instructions on how to
do this.
For example:
# ssh -g -L 617:earth.arkeia.com:619 mercury.arkeia.com
Data will now pass by an encrypted channel between port 61 on the backup
server earth.arkeia.com and port 619 on the client mercury.arkeia.com
If you want to apply this setting automatically when the server computer
is booted, add the above command to the file /etc/ssh/ssh_config
--
Arnaud Spicht, CTO
Arkeia Corp Arkeia SA
1808 Aston Avenue, Suite 220 41 rue Delizy
Carlsbad, CA 92008 93692 Pantin Cedex
USA France
Tel: (760) 431.1319 x2004 Tel: +33 (0)1 48 10 89 89
Fax: (760) 602.8599 Fax: +33 (0)1 48 10 89 90
http://www.arkeia.com
__________________________________________________ ______________________
This email message is for the sole use of the intended recipient(s) and
may contain confidential information or information belonging to Arkeia
Corp. The unauthorized disclosure, use, dissemination or copying (either
whole or partial) of this e-mail, or any information it contains, is
prohibited.
If you are not the intended recipient of this e-mail, please delete it
immediately from your system and notify the sender of the wrong delivery
by reply email. Thank you.
__________________________________________________ _
This read-only mailing-list is used for announcements about Arkeia (new
releases, bug fixes, etc...) If you wish to modify your subscription or if
you want to subscribe to other Arkeia mailing-lists, please, go to:
http://www.arkeia.com/arkeialists.html
__________________________________________________ __
--------------070204040905080708060803--