ISCSI, aka Internet SCSI (Small Computer System Interface), is a popular new protocol that allows the SCSI protocol to be used over traditional IP networks. The primary iSCSI implementation for Linux, "Linux-iSCSI" is a freely available software package primarily maintained by Cisco Systems. More information about it is available at
iSCSI's primary authentication mechanism for users is the Challenge Handshake Authentication Protocol (CHAP) protocol, which is very resilient against replay attacks and provides strong protection for a user's password. More information on the CHAP protocol is available in RFC 1994, a copy of which can be read at http://www.ietf.org/rfc/rfc1994.txt. The CHAP protocol requires a user's password to connect, and in order to automate this process the user must provide a clear text version of the password to the system. This is then stored, in clear text, so that it will be accessible when needed. Care must be taken to ensure configuration files containing
the clear text password are properly protected.
Linux-iSCSI stores it primary configuration directives in the file /etc/iscsi.conf. This is created world writeable by default and no mention is made in the file of the importance of protecting it from being read by attackers. At least one vendor has shipped this file world readable in the default configuration of a beta release of an operating system, when notified they stated it would be fixed in the release version of the operating system.
Any authentication systems that require clear text passwords to be stored should be carefully audited to ensure that passwords are properly protected. This problem can also potentially affect numerous packages, ranging from NTP and BIND to iSCSI - all of which require stored passwords or secrets.
Check the permissions on the file /etc/iscsi.conf. The file should be owned by the user and group root, and only the root user should be granted read and write access to the file, all other permissions should be removed (i.e. file permissions should be 0400).
No workaround is available as of this writing.
Red Hat Inc. has confirmed that the file /etc/iscsi.conf was set world readable in the Limbo Beta, and that it will be fixed in the next release version of Red Hat Linux. SuSE Inc. has confirmed that the file permissions are set correctly on /etc/iscsi.conf. No other major Linux vendors appear to be shipping the iSCSI package yet.
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-0849 to this issue.
07/11/2002 Problem found on Red Hat Linux Limbo Beta #1. Initial contacts sent to Red Hat, SuSE and Cisco
07/12/2002 SuSE confirms file mode 600 by default, not vulnerable. Email sent to Matthew Franz at Cisco, additional Cisco employees also contacted, iSCSI for Linux is an external project at Cisco, PSIRT was not used, no response ever received
07/17/2002 iDEFENSE clients notified
07/29/2002 Problem confirmed in Red Hat Limbo Beta #2. Red Hat contacted again, no response received
08/06/2002 No update of Linux iSCSI, nor mention of problem on website
08/08/2002 iDEFENSE releases public advisory
Kurt Seifried (email@example.com) is credited with discovering this issue.