COMMAND

    Cobalt Networks RaQ2 servers

SYSTEMS AFFECTED

    Cobalt Networks RaQ2 single rack unit Internet servers

PROBLEM

    Following is based  on Cobalt Networks  Security Announcement.   A
    vulnerability has been discovered in the default configuration  of
    Cobalt Networks RaQ2 servers  that allows remote users  to install
    arbitrary  software  packages  to  the  system.   RaQ2 servers are
    configured  with  an  administrative  webserver  to process remote
    requests to manage the unit.   Systems installed with the  default
    configuration  have  insufficient  access  control  mechanisms  to
    prevent remote  users from  adding arbitrary  software packages to
    the system using this webserver.

    Any  remote   user  who   can  establish   a  connection   to   an
    administrative  port  on  a  vulnerable  RaQ2  server  can install
    arbitrary software packages on the  server.  This access can  then
    be used to gain root privileges on the system.

    An article on a security exploit was released from Wired  Magazine
    and the San  Jose Mercury News.   An individual obtained  password
    information from  history files  on a  Cobalt RaQ.   With the RaQ,
    user  directories  are  contained  within  the  web tree.  This is
    intentional since the purpose of our servers is for users to serve
    content on the web.

    The /etc/skel  directory does  not populate  user directories with
    any files other than the index.html file and a private  directory.
    However, if  a user  telnets into  the box  and runs various shell
    commands,  the  bash  shell  maintains  a .bash_history file.  The
    .bash_history file  is readable  by the  web server.  If the admin
    user inadvertently  types the  root password  at the  command line
    (as  a  command  rather  than  as an authentication response), the
    password will be  recorded in the  .bash_history file.   This only
    affects people who  telnet into the  machine and make  the mistake
    of typing their password in as a command.

SOLUTION

    Configure  your  systems  to  guard  against  this  vulnerability.
    Install the patches provided by Cobalt Networks:

        http://www.cobaltnet.com/patches/RaQ2-Security-1.0.pkg (For RaQ2 servers)
        http://www.cobaltnet.com/patches/RaQ2J-Security-1.0.pkg (For Japanese versions of the RaQ2 system)

    Cobalt has released a security patch in the form of a package file
    that is  installed through  the web  interface.   The package file
    removes the  .bash_history file,  and changes  file permissions if
    it is  re-created in  user home  directories.   Package files  are
    available via FTP  at: ftp://ftp.cobaltnet.com/pub/security or  on
    website via HTTP at: ShellHistoryPatch-1.1.pkg.