COMMAND

    RapidStream VPN Appliances

SYSTEMS AFFECTED

    RapidStream VPN Appliances

PROBLEM

    Loki Loa found following.  Hard  coded rsadmin for SSH was put  in
    during 2.1 Beta for support purpose but it was removed in the  2.1
    release.

    If you have a Rapidstream 2.1 Beta box, please configure a  policy
    to block SSHD (port 22) as indicated in the report.

    RapidStream has  hard-coded the  'rsadmin' account  into the  sshd
    binary in the appliance OS.   The account has been given a  'null'
    password  in  which  password  assignment  and  authentication was
    expected to be  handled by the  RapidStream software itself.   The
    vendor failed to realize that arbitrary commands could be appended
    to the ssh string when connecting to the SSH server on the  remote
    vpn.   This in  effect could  lead to  many things,  including the
    ability to spawn a remote root shell on the vpn.

        e.g. [root@attacker]# ssh -l rsadmin <ip of vpn> "/bin/sh -i;"
        e.g. [root@attacker]# ssh -l rsadmin <ip of vpn> "vi /etc/shadow"

    Impact:
    1. Attacker can use  VPN to ftp, and  even install and run  packet
       sniffers on the VPN which  will allow him to sniff  all traffic
       coming  in  and  out  of  the  VPN.   Due  to the fact that the
       administrator is not aware of the ability to spawn root shells,
       the intruder can go completely undetected.
    2. Immediate remote root access to VPN
    3. Can download /etc/shadow file to crack accounts including root.
       This will give the attacker  the default password for all  root
       accounts for all deployed RapidStream products.

SOLUTION

    RapidStream has been contacted and is working on a new revision in
    which SSHD comes uninstalled.  For those that do not wish to  wait
    can put the VPN appliance behind a firewall where port 22 has been
    closed.  An  alternative is to  use the vulnerability  to ssh into
    the vpn and turn off SSHD yourself.

    The released Rapidstream 2000, Rapidstream 4000, Rapidstream  6000
    and Rapidstream 8000 products will not be infected by the reported
    attack.